Italian Brother & Sister Cyber Spies Arrested

Two Italian siblings have been arrested and stand accused of having spied on Italian politicians, state institutions and law enforcement agencies, businesses and business people, law firms, leaders of Italian masonic lodges, and Vatican officials for years.

45-year-old Giulio Occhionero and 49-year-old Francesca Maria Occhionero, both from Rome, but currently residing in London, have allegedly used specially crafted malware (dubbed “EyePyramid”) to compromise the targets’ computers and exfiltrate all kinds of documents, as well as log keystrokes and steal login credentials for sensitive accounts.

According to court documents the investigation began a few months after a security professional employed by ENAV, an Italian company responsible for the provision of air traffic services (ATS) and other air navigation services in Italy, flagged and reported a malicious attachment he received via email.

The spear-phishing email was purportedly sent by an Italian attorney, but the infosec pro became suspicious and sent the attachment to security company Mentat Solutions for analysis. The attachment was found to contain the EyePyramid malware.

After the authorities got involved, the investigation revealed that the email was, indeed, sent from the attorney’s email account, but that it was sent by someone who had compromised the account and accessed it via TOR.

Researchers at Mentat discovered the malware’s server, and email addresses to which the malware would send some of the stolen information. This allowed them to identify a domain that was registered, among others, by Giulio Occhionero or enterprises tied to him and his sister.

Interestingly enough, Mentat researchers have analysed the EyePyramid malware even before this investigation, and found inside it a MailBee library, a license for which had been acquired by Giulio Occhionero. The same library could be found in EyePyramid versions from 2010 to, late 2015, when Mentat researchers asked the company that issued it to share the identity of the buyer. They apparently did not, but notified him of the request. From then on, the malware used another license.

Italian law enforcement asked the FBI for help to seize the C&C servers (as they were located in the US), to uncover who owned the domain (the information was unavailable online) and the servers, and to get the name of the person who bought the MailBee library license. It was Giulio Occhionero.

All this information allowed them to get permission to tap Giulio’s phone, and confirm that he administered the servers in question.

The prosecution alleges that he was developing the malware for many years, and mounted many cyber espionage campaigns. Some of those had been flagged, but the attacker was never identified.

It’s still unknown how the siblings used the stolen information, whether to blackmail the victims or simply to gain an unfair advantage that could ultimately lead to considerable financial profits. Both deny being involved in this cyber espionage scheme.

Among the spied-on individuals are former Italian prime minister Matteo Renzi, President of the European Central Bank Mario Draghi, and various Italian senators. Giulio Occhionero is a member of an Italian masonic lodge, and he allegedly also used the malware to spy on his fellow members and members of other masonic lodges in Italy.

HelpNet Security

Rome: Cyber Spying Rings Security Bells:

 

« Auditors Need To Know About Cyber Security
Udacity Offer Deep IT Learning Programs & Nano-Degrees »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

City Security Magazine

City Security Magazine

City Security magazine helps promote best security practices and keep businesses informed on a wide variety of security-related issues.

Thinklogical

Thinklogical

Thinklogical manufactures secure, KVM, video, audio, and computer peripheral signal switching solutions for defence C4ISR applications.

Paladin Capital Group

Paladin Capital Group

Paladin is a leading global investor that supports and grows the world’s most innovative cyber companies.

GBT Technologies

GBT Technologies

GBT Technologies is a technology company focused on chip design and software to enable IoT, global mesh networks, and for applications relating to artificial intelligence.

Edureka

Edureka

Edureka is an online technology training provider with the most effective learning system in the world. We help professionals learn trending technologies for career growth.

Securd

Securd

Securd takes opportunities away from your cyber adversaries. Cloud-delivered zero-trust DNS firewall and web filtering protection keep your business network and remote employees safe.

SecureDrives

SecureDrives

Passwordless Authentication & Encrypted Data Storage Solutions from SecureDrives. We are enabling organisations to work safely and securely, using technology driven solutions.

NASK SA

NASK SA

NASK SA is an integrator of telecommunications services. We provide advanced ICT security services, collocation and hosting, data centre services, and build corporate networks.

Traceable

Traceable

Traceable was founded to protect applications from next-generation attacks.

Cyber Legion

Cyber Legion

Cyber Legion Ltd is a UK-based Cyber Security as a Service (CSaaS) start-up that provides IT security testing services to various organizations around the globe.

DC Two

DC Two

DC Two are a locally operated and supported Australian data centre, offering a suite of vertically integrated services covering every part of the data centre and cloud technology stack.

Siren

Siren

Siren provides the leading Investigative Intelligence Platform to some of the world’s leading Law Enforcement, National Security and Cyber threat investigators.

Silent Push

Silent Push

Silent Push maps all internet-facing infrastructure with searchable, advanced attributes, generating early indicators of potential threats that are tailored to your environment.

Elba

Elba

Employee security needs to be reinvented. SaaS security needs to involve end-user and awareness needs to be actionable. Meet elba, the 5-in-one cybersecurity hub with no compromises.

BioID

BioID

BioID are a German company offering deepfake detection, liveness detection, facial authentication & identity verification as a Service. 

StrongDM

StrongDM

StrongDM is the leader in Zero Trust Privileged Access Management (PAM).