Italian Brother & Sister Cyber Spies Arrested

Uploaded on 2017-02-18 in NEWS-Cybersecurity News, INTELLIGENCE--Europe, FREE TO VIEW

Two Italian siblings have been arrested and stand accused of having spied on Italian politicians, state institutions and law enforcement agencies, businesses and business people, law firms, leaders of Italian masonic lodges, and Vatican officials for years.

45-year-old Giulio Occhionero and 49-year-old Francesca Maria Occhionero, both from Rome, but currently residing in London, have allegedly used specially crafted malware (dubbed “EyePyramid”) to compromise the targets’ computers and exfiltrate all kinds of documents, as well as log keystrokes and steal login credentials for sensitive accounts.

According to court documents the investigation began a few months after a security professional employed by ENAV, an Italian company responsible for the provision of air traffic services (ATS) and other air navigation services in Italy, flagged and reported a malicious attachment he received via email.

The spear-phishing email was purportedly sent by an Italian attorney, but the infosec pro became suspicious and sent the attachment to security company Mentat Solutions for analysis. The attachment was found to contain the EyePyramid malware.

After the authorities got involved, the investigation revealed that the email was, indeed, sent from the attorney’s email account, but that it was sent by someone who had compromised the account and accessed it via TOR.

Researchers at Mentat discovered the malware’s server, and email addresses to which the malware would send some of the stolen information. This allowed them to identify a domain that was registered, among others, by Giulio Occhionero or enterprises tied to him and his sister.

Interestingly enough, Mentat researchers have analysed the EyePyramid malware even before this investigation, and found inside it a MailBee library, a license for which had been acquired by Giulio Occhionero. The same library could be found in EyePyramid versions from 2010 to, late 2015, when Mentat researchers asked the company that issued it to share the identity of the buyer. They apparently did not, but notified him of the request. From then on, the malware used another license.

Italian law enforcement asked the FBI for help to seize the C&C servers (as they were located in the US), to uncover who owned the domain (the information was unavailable online) and the servers, and to get the name of the person who bought the MailBee library license. It was Giulio Occhionero.

All this information allowed them to get permission to tap Giulio’s phone, and confirm that he administered the servers in question.

The prosecution alleges that he was developing the malware for many years, and mounted many cyber espionage campaigns. Some of those had been flagged, but the attacker was never identified.

It’s still unknown how the siblings used the stolen information, whether to blackmail the victims or simply to gain an unfair advantage that could ultimately lead to considerable financial profits. Both deny being involved in this cyber espionage scheme.

Among the spied-on individuals are former Italian prime minister Matteo Renzi, President of the European Central Bank Mario Draghi, and various Italian senators. Giulio Occhionero is a member of an Italian masonic lodge, and he allegedly also used the malware to spy on his fellow members and members of other masonic lodges in Italy.

HelpNet Security

Rome: Cyber Spying Rings Security Bells:

 

« Auditors Need To Know About Cyber Security
Udacity Offer Deep IT Learning Programs & Nano-Degrees »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Security Stronghold

Security Stronghold

Security Stronghold is focused on protecting computers from malicious programs like viruses, Trojans, spyware, adware, trackware, keyloggers and other kinds of online threats.

DataVantage

DataVantage

DataVantage data masking and data management software helps you prevent data breaches, pass compliance audits and meet regulatory requirements such as HIPAA and PCI DSS.

Centripetal Networks

Centripetal Networks

Centripetal Networks was founded with one vision - to protect networks from advanced threats by simplifying intelligence-driven security.

Japan Information Security Audit Association (JASA)

Japan Information Security Audit Association (JASA)

JASA is non-profit association active in developing and managing the quality of Information Security Auditing and Auditors in Japan.

Saviynt

Saviynt

Saviynt is a leading provider of Cloud Security and Identity Governance solutions.

WizNucleus

WizNucleus

WizNucleus develops, markets and supports a software platform (Cyberwiz-Pro) that enables Critical Infrastructure enterprises to ensure the future state of their cybersecurity and remain compliant.

e-Crime Bureau

e-Crime Bureau

e-Crime Bureau is a specialized company offering cyber/computer forensics, cyber security consulting services, forensic audit and investigations services and training to clients across Africa.

Digital Security

Digital Security

Digital Security is an Ecuadorian company specialized in providing comprehensive information security solutions.

ECOLUX

ECOLUX

ECOLUX is a professional IoT security service company committed to developing world-leading “IoT Lifecycle Security” technologies and products.

DataNumen

DataNumen

The fundamental mission of DataNumen is to recover as much data from inadvertent data disasters as possible.

Help AG

Help AG

Help AG provides leading enterprise businesses and governments across the Middle East with strategic consultancy combined with tailored information security solutions and services.

Progress Partners

Progress Partners

Progress Partners is a corporate advisory firm that works with buyers and sellers of emerging growth companies to complete M&A or private placement transactions. Our sectors include cybersecurity.

Swish Data Corp.

Swish Data Corp.

Swish delivers when the problems are complex, requirements are difficult, and the mission is absolutely critical.

KCS Group Europe

KCS Group Europe

KCS Group helps its clients to identify and deal with any risks, weaknesses and threats which could impact on the business financially or reputationally.

Reken

Reken

Reken are building a new type of AI platform and products to protect against generative AI threats.

Standard Notes

Standard Notes

Standard Notes is a secure digital notes app that protects your notes and files with audited, industry-leading end-to-end encryption.