Brother and sister arrested in the worst cyber espionage operation ever in Italy

Siblings arrested for spying on 1,700 high-profile government and corporate PCs in Italy, using the Eye Pyramid malware and an international network of servers

attacchi malware

Milan (Italy) – Giulio Occhionero and his sister Francesca Maria have been arrested on Tuesday in what appears to be the widest and highest-profile hacking of institutional and corporate accounts ever reported in Italy.

According to the arrest order (PDF, Italian), the siblings have been planting the Eye Pyramid remote access troyan using a spear-phishing technique for years, attacking no less than 18.000 high-profile targets including former Prime Ministers Matteo Renzi and Mario Monti, President of European Central Bank Mario Draghi, Secretaries and personnel in Internal affairs, Finance Economy and Education secretaries, members of the Parliament, Bank of Italy, Vatican Cardinal Gianfranco Ravasi and several members of Freemasonry (organization in which Giulio Occhionero was a “Venerable Master” in a Roman chapter of the Grande Oriente d’Italia lodge).

At least 1,700 of the attacks appear to have been successful. Such is the number of the email passwords sized during police investigations, along with 1,137 credentials for compromised PCs and a trove of 87 GB of data spread across a network of several Command & Control and backup servers and computers in Italy and US. Italian Polizia Postale obtained assistance from FBI for seizing and monitoring the US portion of the server infrastructure.

I fratelli Occhionero
Giulio and Francesca Maria Occhionero were arrested on Monday in Rome.

Giulio Occhionero (LinkedIn profile), a master degree in nuclear engineering, founder of the Malta-based quantitative financial analysis firm Westlands Securities and a software developers with several certifications, allegedly modified and developed new features for the Eye Pyramid malware himself, and maintained the network of servers and mail boxes used to collect exfiltrated data along with his sister.

An ongoing analysis on the Eye Pyramid malware, connected domain names, IP addresses and mailboxes used in the scheme has been published, in English, by Trend Micro Senior Threat Researcher Federico Maggi (a company blog post has details on the malware’s code).

Elements in the code, such the license key found the MailBee.NET.dll library that Occhionero acquired in his own name from the US-based software developer Afterlogic, and IP addresses of the C&C servers, that were shared with other personal and business website publicly connected with Giulio Occhionero, allowed Italian police to identify the suspect and put him under a close surveillance last august, when a relevant role of his sister Francesca Maria emerged.

During the surveillance Giulio Occhionero was probably informed about the ongoing investigation and started deleting data on his servers, but this activity was closely observed by Police, probably also using a state-controlled troyan (the arrest order lists screenshots and WhatsApp chats as source of proof, and such specimens cannot be obtained with a simple communications eavesdropping.

The combination of an industrial-scale surveillance network who operated across countries for years, and naïve errors like using a personally-licensed Dll to develop  a malware or using shared IPs for both legitimate and criminal activities  is one of the most puzzling aspects of the case., but other questions are arising from the case.

How could the two, with limited hacking skills, carry on a massive espionage operation on high-profile government targets being undetected for at least four years?

The real purpose and potential accomplices or mastermind for the criminal activity are still unknown. Judge Maria Paola Tommaselli, who charged the two siblings for felonies such as abusive intrusion in computer systems, abusive eavesdropping and procurement of information regarding national security, is implying other people may be involved. Four of the email addresses used for data exfiltration were linked to a criminal case in 2011, in which a covert and potentially subversive organization was creating dossiers on politicians and managers. Giulio and Francesca Maria Occhionero also are members of the board in a construction company linked to an investigation on organized crime activities in Rome.

Judging by the targets, mostly in financial and masonry environments, the two probably wanted to use the obtained information to gain insider information for the financial business Westland Securities and raise Giulio Occhionero level in the Freemasonry organization.

Giulio and Francesca Maria Occhionero lawyers denied any wrongdoing, asserting that the server network was only used for business purposes.