Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Siblings arrested in Italy's worst cyberespionage operation ever

By Andrea Grassi | Jan. 13, 2017
Brother-and-sister team allegedly attacked at least 18,000 high-profile government and corporate PCs, using the Pyramid Eye malware and an international network of servers

The Tuesday arrest of Giulio Occhionero and his sister, Francesca Maria, has brought to light what appears to be the biggest, and highest-profile, hacking of institutional and corporate accounts ever reported in Italy.

The siblings have been planting the Pyramid Eye remote access Trojan on computers using a spear-phishing technique over the course of years, according to the arrest order.

They attacked no fewer than 18,000 high-profile targets including former Prime Ministers Matteo Renzi and Mario Monti, President of European Central Bank Mario Draghi, as well as employees and heads of various ministries including Internal Affairs, Treasury, Finance, and Education.

Also attacked were members of the Parliament and the Bank of Italy, Vatican Cardinal Gianfranco Ravasi and several members of the Freemasons, an organization where Giulio Occhionero belonged as grand master in a Roman chapter. At least 1,700 of the attacks appear to have been successful.

Police investigations netted email passwords, 1,137 credentials for compromised PCs and a trove of 87GB of data spread across a network of several command-and-control and backup servers and computers in Italy and the U.S.

The Italian Postal Police obtained assistance from the FBI in seizing and monitoring the U.S. portion of the server infrastructure. Giulio Occhionero has a master's degree in nuclear engineering, is a founder of the Malta-based quantitative financial analysis firm Westlands Securities, and is also a software developer with several certifications. He allegedly modified and developed new features for the Pyramid Eye malware and maintained the network of servers and mailboxes used to collect exfiltrated data.

An ongoing analysis of the Pyramid Eye malware, connected domain names, IP addresses, and mailboxes used in the scheme has been published, in English, by Trend Micro Senior Threat Researcher Federico Maggi. A company blog post has details on the malware's code.

Elements in the code, such as the MailBee.NET.dll library license key that Occhionero acquired in his own name from the U.S.-based software developer Afterlogic, as well as C&C server IP addresses shared by websites publicly connected to him, allowed Italian police to identify and put him under close surveillance last August.

During the surveillance, Occhionero was probably informed about the ongoing investigation and started deleting data on his servers. The activity, however, was closely observed by police, probably using a state-controlled Trojan: The arrest order lists screenshots and WhatsApp chats as sources, and this type of evidence cannot be obtained with simple communications eavesdropping, noted computer forensics expert Matteo Flora, in a Vlog.

The combination of an industrial-scale surveillance network operating across international borders for years, along with amateurish blunders -- like the use of a personally licensed Dll to develop malware and shared IPs for both legitimate and criminal activities -- is one of the most puzzling aspects of the case. Other questions have arisen as well: How could the two suspects, with possibly limited hacking skills, carry on a massive espionage operation on high-profile government targets without being detected for at least four years?

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.