Siblings arrested in Italy's worst cyberespionage operation ever

Brother-and-sister team allegedly attacked at least 18,000 high-profile government and corporate PCs, using the Pyramid Eye malware and an international network of servers

The Tuesday arrest of Giulio Occhionero and his sister, Francesca Maria, has brought to light what appears to be the biggest, and highest-profile, hacking of institutional and corporate accounts ever reported in Italy.

The siblings have been planting the Pyramid Eye remote access Trojan on computers using a spear-phishing technique over the course of years, according to the arrest order.

They attacked no fewer than 18,000 high-profile targets including former Prime Ministers Matteo Renzi and Mario Monti, President of European Central Bank Mario Draghi, as well as employees and heads of various ministries including Internal Affairs, Treasury, Finance, and Education.

Also attacked were members of the Parliament and the Bank of Italy, Vatican Cardinal Gianfranco Ravasi and several members of the Freemasons, an organization where Giulio Occhionero belonged as grand master in a Roman chapter. At least 1,700 of the attacks appear to have been successful.

Police investigations netted email passwords, 1,137 credentials for compromised PCs and a trove of 87GB of data spread across a network of several command-and-control and backup servers and computers in Italy and the U.S.

The Italian Postal Police obtained assistance from the FBI in seizing and monitoring the U.S. portion of the server infrastructure. Giulio Occhionero has a master's degree in nuclear engineering, is a founder of the Malta-based quantitative financial analysis firm Westlands Securities, and is also a software developer with several certifications. He allegedly modified and developed new features for the Pyramid Eye malware and maintained the network of servers and mailboxes used to collect exfiltrated data.

An ongoing analysis of the Pyramid Eye malware, connected domain names, IP addresses, and mailboxes used in the scheme has been published, in English, by Trend Micro Senior Threat Researcher Federico Maggi. A company blog post has details on the malware's code.

Elements in the code, such as the MailBee.NET.dll library license key that Occhionero acquired in his own name from the U.S.-based software developer Afterlogic, as well as C&C server IP addresses shared by websites publicly connected to him, allowed Italian police to identify and put him under close surveillance last August.

During the surveillance, Occhionero was probably informed about the ongoing investigation and started deleting data on his servers. The activity, however, was closely observed by police, probably using a state-controlled Trojan: The arrest order lists screenshots and WhatsApp chats as sources, and this type of evidence cannot be obtained with simple communications eavesdropping, noted computer forensics expert Matteo Flora, in a Vlog.

The combination of an industrial-scale surveillance network operating across international borders for years, along with amateurish blunders -- like the use of a personally licensed Dll to develop malware and shared IPs for both legitimate and criminal activities -- is one of the most puzzling aspects of the case. Other questions have arisen as well: How could the two suspects, with possibly limited hacking skills, carry on a massive espionage operation on high-profile government targets without being detected for at least four years?

The real purpose and potential accomplices or mastermind of the criminal activity are still unknown. Judge Maria Paola Tommaselli, who charged the two siblings for felonies such as abusive intrusion in computer systems, abusive eavesdropping, and procurement of information regarding national security, is implying other people may be involved.

Four of the email addresses used for data exfiltration were linked to a criminal case in 2011, in which a covert and potentially subversive organization was creating dossiers on politicians and managers. Giulio and Francesca Maria Occhionero also are members of the board in a construction company linked to an investigation of organized crime activities in Rome.

Judging by the targets, mostly in financial and Freemason environments, the two probably wanted to use the obtained information to gain insider information for Westland Securities' business and raise Giulio Occhionero's profile in the Freemasons. Giulio and Francesca Maria Occhionero's lawyers denied any wrongdoing, asserting that the server network was only used for business purposes.

Andrea Grassi is the editor of Computerworld Italy. You can follow him on Twitter (@andreagrassi) or connect via LinkedIn.

Join the PC World newsletter!

Error: Please check your email address.

Tags hacking

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

By Andrea Grassi

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?