Italian Brother & Sister Cyber Spies Arrested

Uploaded on 2017-02-18 in NEWS-Cybersecurity News, INTELLIGENCE--Europe, FREE TO VIEW

Two Italian siblings have been arrested and stand accused of having spied on Italian politicians, state institutions and law enforcement agencies, businesses and business people, law firms, leaders of Italian masonic lodges, and Vatican officials for years.

45-year-old Giulio Occhionero and 49-year-old Francesca Maria Occhionero, both from Rome, but currently residing in London, have allegedly used specially crafted malware (dubbed “EyePyramid”) to compromise the targets’ computers and exfiltrate all kinds of documents, as well as log keystrokes and steal login credentials for sensitive accounts.

According to court documents the investigation began a few months after a security professional employed by ENAV, an Italian company responsible for the provision of air traffic services (ATS) and other air navigation services in Italy, flagged and reported a malicious attachment he received via email.

The spear-phishing email was purportedly sent by an Italian attorney, but the infosec pro became suspicious and sent the attachment to security company Mentat Solutions for analysis. The attachment was found to contain the EyePyramid malware.

After the authorities got involved, the investigation revealed that the email was, indeed, sent from the attorney’s email account, but that it was sent by someone who had compromised the account and accessed it via TOR.

Researchers at Mentat discovered the malware’s server, and email addresses to which the malware would send some of the stolen information. This allowed them to identify a domain that was registered, among others, by Giulio Occhionero or enterprises tied to him and his sister.

Interestingly enough, Mentat researchers have analysed the EyePyramid malware even before this investigation, and found inside it a MailBee library, a license for which had been acquired by Giulio Occhionero. The same library could be found in EyePyramid versions from 2010 to, late 2015, when Mentat researchers asked the company that issued it to share the identity of the buyer. They apparently did not, but notified him of the request. From then on, the malware used another license.

Italian law enforcement asked the FBI for help to seize the C&C servers (as they were located in the US), to uncover who owned the domain (the information was unavailable online) and the servers, and to get the name of the person who bought the MailBee library license. It was Giulio Occhionero.

All this information allowed them to get permission to tap Giulio’s phone, and confirm that he administered the servers in question.

The prosecution alleges that he was developing the malware for many years, and mounted many cyber espionage campaigns. Some of those had been flagged, but the attacker was never identified.

It’s still unknown how the siblings used the stolen information, whether to blackmail the victims or simply to gain an unfair advantage that could ultimately lead to considerable financial profits. Both deny being involved in this cyber espionage scheme.

Among the spied-on individuals are former Italian prime minister Matteo Renzi, President of the European Central Bank Mario Draghi, and various Italian senators. Giulio Occhionero is a member of an Italian masonic lodge, and he allegedly also used the malware to spy on his fellow members and members of other masonic lodges in Italy.

HelpNet Security

Rome: Cyber Spying Rings Security Bells:

 

« Auditors Need To Know About Cyber Security
Udacity Offer Deep IT Learning Programs & Nano-Degrees »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

SSL247

SSL247

SSL247 is Europe's leading Web Security Consultancy Firm. We enjoy long-standing partnerships with Certificate Authorities including Symantec, GlobalSign, Entrust Datacard, Comodo, Thales and Qualys.

SC Media

SC Media

SC Media arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face.

Israel National Cyber Directorate (INCD)

Israel National Cyber Directorate (INCD)

The Israel National Cyber Directorate is the national security and technological agency responsible for defending Israel’s national cyberspace and for establishing and advancing Israel’s cyber power.

Uniscon

Uniscon

Uniscon is a leading provider of cloud security solutions in Europe.

Clavister

Clavister

Clavister is a network security vendor delivering a full range of network security solutions for both physical and virtualized environments.

DXC Technology

DXC Technology

DXC Technology helps global companies run their mission critical systems and operations while modernizing IT, optimizing data architectures, and ensuring security and scalability.

Cofrac

Cofrac

Cofrac is the national accreditation body for France. The directory of members provides details of organisations offering certification services for ISO 27001.

CHT Security

CHT Security

CHT Security is a Managed Security Service Provider (MSSP) specialized in cyber security technologies enabling enterprises to defense against cyber threats to networks, gateways and endpoints.

US-Africa Cybersecurity Group (USAFCG)

US-Africa Cybersecurity Group (USAFCG)

USAFCG provides cybersecurity consulting services and delivers training programs for capacity building in Africa.

KDM Analytics

KDM Analytics

KDM Analytics software products automate the NIST risk management framework (RMF) assessment for operational technology (OT) systems.

Greenberg Traurig (GT)

Greenberg Traurig (GT)

Greenberg Traurig, LLP (GT) is a global law firm with offices in 40 locations in the United States, Latin America, Europe, Asia, and the Middle East.

Synoptek

Synoptek

Synoptek is a global systems integrator and managed IT services provider (MSP). We offer comprehensive IT management and consultancy services to organizations worldwide.

Intelequia

Intelequia

Intelequia SOC is the Security Operations Center your company needs. 24x7 monitoring, protection and automated response to cyber threats.

AFRY

AFRY

AFRY is a world leading engineering company, trusted as a supplier of services and solutions within the industry, energy, and infrastructure sectors as well as for authorities.

Glasstrail

Glasstrail

Glasstrail are single-minded about helping organisations gather intelligence and manage vulnerabilities in their attack surface before adversaries exploit them.

Certera

Certera

Certera is a modern and affordable SSL Certificate, Code Signing Certificate, and Cyber Security Services provider.