Italian Brother & Sister Cyber Spies Arrested

Uploaded on 2017-02-18 in NEWS-Cybersecurity News, INTELLIGENCE--Europe, FREE TO VIEW

Two Italian siblings have been arrested and stand accused of having spied on Italian politicians, state institutions and law enforcement agencies, businesses and business people, law firms, leaders of Italian masonic lodges, and Vatican officials for years.

45-year-old Giulio Occhionero and 49-year-old Francesca Maria Occhionero, both from Rome, but currently residing in London, have allegedly used specially crafted malware (dubbed “EyePyramid”) to compromise the targets’ computers and exfiltrate all kinds of documents, as well as log keystrokes and steal login credentials for sensitive accounts.

According to court documents the investigation began a few months after a security professional employed by ENAV, an Italian company responsible for the provision of air traffic services (ATS) and other air navigation services in Italy, flagged and reported a malicious attachment he received via email.

The spear-phishing email was purportedly sent by an Italian attorney, but the infosec pro became suspicious and sent the attachment to security company Mentat Solutions for analysis. The attachment was found to contain the EyePyramid malware.

After the authorities got involved, the investigation revealed that the email was, indeed, sent from the attorney’s email account, but that it was sent by someone who had compromised the account and accessed it via TOR.

Researchers at Mentat discovered the malware’s server, and email addresses to which the malware would send some of the stolen information. This allowed them to identify a domain that was registered, among others, by Giulio Occhionero or enterprises tied to him and his sister.

Interestingly enough, Mentat researchers have analysed the EyePyramid malware even before this investigation, and found inside it a MailBee library, a license for which had been acquired by Giulio Occhionero. The same library could be found in EyePyramid versions from 2010 to, late 2015, when Mentat researchers asked the company that issued it to share the identity of the buyer. They apparently did not, but notified him of the request. From then on, the malware used another license.

Italian law enforcement asked the FBI for help to seize the C&C servers (as they were located in the US), to uncover who owned the domain (the information was unavailable online) and the servers, and to get the name of the person who bought the MailBee library license. It was Giulio Occhionero.

All this information allowed them to get permission to tap Giulio’s phone, and confirm that he administered the servers in question.

The prosecution alleges that he was developing the malware for many years, and mounted many cyber espionage campaigns. Some of those had been flagged, but the attacker was never identified.

It’s still unknown how the siblings used the stolen information, whether to blackmail the victims or simply to gain an unfair advantage that could ultimately lead to considerable financial profits. Both deny being involved in this cyber espionage scheme.

Among the spied-on individuals are former Italian prime minister Matteo Renzi, President of the European Central Bank Mario Draghi, and various Italian senators. Giulio Occhionero is a member of an Italian masonic lodge, and he allegedly also used the malware to spy on his fellow members and members of other masonic lodges in Italy.

HelpNet Security

Rome: Cyber Spying Rings Security Bells:

 

« Auditors Need To Know About Cyber Security
Udacity Offer Deep IT Learning Programs & Nano-Degrees »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Digitronic Computersysteme

Digitronic Computersysteme

Digitronic focus on innovative software to protect your personal and sensitive corporate data.

Cyber London (CyLon)

Cyber London (CyLon)

CyLon is a leading cyber security accelerator and seed investment programme. We help entrepreneurs from across the globe to build cyber security businesses, raise investment, and develop partnerships.

Applied Security (APSEC)

Applied Security (APSEC)

APSEC provides products and services in the areas of encryption, digital signature, authentication and data loss prevention.

ngCERT

ngCERT

ngCERT is the National Computer Emergency Response Team for Nigeria.

European Society of Criminology (ESC)

European Society of Criminology (ESC)

The ESC Working Group on Cybercrime is focused on cybercrime, its causes and offenders, impact on victims, and our response to it at the individual, corporate, and governmental levels.

CyberASAP

CyberASAP

CyberASAP provides expertise, knowledge and support to convert academic ideas into commercial products in the cyber security space.

CyberWhite

CyberWhite

CyberWhite is a disruptive provider of cyber security and risk mitigation solutions.

Securosys

Securosys

Securosys is a technology company dedicated to securing data and communications. We develop, produce, and distribute hardware, software and services that protect and verify data and their transmission

Ascent Cyber

Ascent Cyber

Ascent Cyber provide simple and stress-free solutions to protect your business and its customers from the worries and costs of cybercrime.

North West Cyber Resilience Centre (NWCRC)

North West Cyber Resilience Centre (NWCRC)

The North West Cyber Resilience Centre is a trusted, not-for-profit venture between Greater Manchester Police and Manchester Digital.

Valency Networks

Valency Networks

Valency Networks provide cutting edge results in the areas of Vulnerability Assessment and Penetration Testing services for webapps, cloud apps, mobile apps and IT networks.

Aembit

Aembit

Aembit is the Identity Platform that lets DevOps and Security manage, enforce, and audit access between federated workloads

Hushmesh

Hushmesh

Hushmesh is a start-up aimed at securing the world’s digital infrastructure by developing develop the Mesh, a global information space with automated security built in.

Staley Technologies

Staley Technologies

Staley Technologies is a US nationwide structured cabling, technology integrator, and Managed IT & Cyber Security provider.

National Cybersecurity Competence Center (NC3) - Luxembourg

National Cybersecurity Competence Center (NC3) - Luxembourg

The purpose of the is to strengthen the Country's ecosystem facing cyber Luxembourg National Cybersecurity Competence Centerthreats and risks.

OmniSecuritas Technologies

OmniSecuritas Technologies

Omnisecuritas assists businesses in maintaining secure and resilient operations by providing comprehensive, affordable, turnkey cybersecurity products and services to businesses of all sizes.