Italian Brother & Sister Cyber Spies Arrested

Uploaded on 2017-02-18 in NEWS-Cybersecurity News, INTELLIGENCE--Europe, FREE TO VIEW

Two Italian siblings have been arrested and stand accused of having spied on Italian politicians, state institutions and law enforcement agencies, businesses and business people, law firms, leaders of Italian masonic lodges, and Vatican officials for years.

45-year-old Giulio Occhionero and 49-year-old Francesca Maria Occhionero, both from Rome, but currently residing in London, have allegedly used specially crafted malware (dubbed “EyePyramid”) to compromise the targets’ computers and exfiltrate all kinds of documents, as well as log keystrokes and steal login credentials for sensitive accounts.

According to court documents the investigation began a few months after a security professional employed by ENAV, an Italian company responsible for the provision of air traffic services (ATS) and other air navigation services in Italy, flagged and reported a malicious attachment he received via email.

The spear-phishing email was purportedly sent by an Italian attorney, but the infosec pro became suspicious and sent the attachment to security company Mentat Solutions for analysis. The attachment was found to contain the EyePyramid malware.

After the authorities got involved, the investigation revealed that the email was, indeed, sent from the attorney’s email account, but that it was sent by someone who had compromised the account and accessed it via TOR.

Researchers at Mentat discovered the malware’s server, and email addresses to which the malware would send some of the stolen information. This allowed them to identify a domain that was registered, among others, by Giulio Occhionero or enterprises tied to him and his sister.

Interestingly enough, Mentat researchers have analysed the EyePyramid malware even before this investigation, and found inside it a MailBee library, a license for which had been acquired by Giulio Occhionero. The same library could be found in EyePyramid versions from 2010 to, late 2015, when Mentat researchers asked the company that issued it to share the identity of the buyer. They apparently did not, but notified him of the request. From then on, the malware used another license.

Italian law enforcement asked the FBI for help to seize the C&C servers (as they were located in the US), to uncover who owned the domain (the information was unavailable online) and the servers, and to get the name of the person who bought the MailBee library license. It was Giulio Occhionero.

All this information allowed them to get permission to tap Giulio’s phone, and confirm that he administered the servers in question.

The prosecution alleges that he was developing the malware for many years, and mounted many cyber espionage campaigns. Some of those had been flagged, but the attacker was never identified.

It’s still unknown how the siblings used the stolen information, whether to blackmail the victims or simply to gain an unfair advantage that could ultimately lead to considerable financial profits. Both deny being involved in this cyber espionage scheme.

Among the spied-on individuals are former Italian prime minister Matteo Renzi, President of the European Central Bank Mario Draghi, and various Italian senators. Giulio Occhionero is a member of an Italian masonic lodge, and he allegedly also used the malware to spy on his fellow members and members of other masonic lodges in Italy.

HelpNet Security

Rome: Cyber Spying Rings Security Bells:

 

« Auditors Need To Know About Cyber Security
Udacity Offer Deep IT Learning Programs & Nano-Degrees »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Law Enforcement Cyber Center (LECC)

Law Enforcement Cyber Center (LECC)

LECC is designed to assist police, digital forensic investigators, detectives, and prosecutors who are investigating and preventing crimes that involve technology.

Commissum

Commissum

Commissum specialise in information assurance and security testing services.

PakCERT

PakCERT

PakCERT is the national Computer Emergency Response Team for Pakistan.

Comiq

Comiq

Comiq provide software quality assurance, testing and project management services. Areas of expertise include cybersecurity.

Advisen

Advisen

Advisen is the leading provider of data, media, and technology solutions for the commercial property and casualty insurance market including cyber risk.

Privitar

Privitar

Privitar is leading the development and adoption of privacy engineering technology enabling our customers to innovate and leverage data with an uncompromising approach to data privacy.

Axiad IDS

Axiad IDS

Axiad IDS is a Trusted Identity solutions provider for enterprise, government and financial organizations.

Living Security

Living Security

Living Security specializes in metric driven and engaging security awareness solutions that reduce risk by increasing security culture and changing employee behaviour.

Hornetsecurity

Hornetsecurity

Meet Hornetsecurity – Leading Cloud Email Security Provider. We protect global organizations so you can focus on what you do best.

Crashtest Security

Crashtest Security

Crashtest Security is a cyber security company that helps digital companies to continuously create secure software with the help of automated vulnerability assessments.

US Cyber Range

US Cyber Range

US Cyber Range is a scalable, cloud-hosted infrastructure providing students with virtual environments for realistic, hands-on cybersecurity labs and exercises.

Casque SNR

Casque SNR

CASQUE SNR is the next generation of Identity Assurance that has potential to supersede existing solutions. It provides Identity Assurance for both people and things.

xorlab

xorlab

xorlab is a Swiss cybersecurity company providing specialized, machine-intelligent defense against highly engineered, sophisticated and targeted email attacks.

BAE Systems

BAE Systems

BAE Systems develop, engineer, manufacture, and support products and systems to deliver military capability, protect national security, and keep critical information and infrastructure secure.

NextGen Cyber Talent

NextGen Cyber Talent

NextGen Cyber Talent is a non-profit providing a platform to increase diversity and inclusion in the cybersecurity industry.

Cysmo Cyber Risk

Cysmo Cyber Risk

Cysmo is an innovative cyber risk assessment platform specifically designed for the needs of the German insurance industry.