The Tuesday arrest of Giulio Occhionero and his sister, Francesca Maria, has brought to light what appears to be the biggest, and highest-profile, hacking of institutional and corporate accounts ever reported in Italy.
The siblings have been planting the Pyramid Eye remote access Trojan on computers using a spear-phishing technique over the course of years, according to the arrest order.
They attacked no fewer than 18,000 high-profile targets including former Prime Ministers Matteo Renzi and Mario Monti, President of European Central Bank Mario Draghi, as well as employees and heads of various ministries including Internal Affairs, Treasury, Finance, and Education.
Also attacked were members of the Parliament and the Bank of Italy, Vatican Cardinal Gianfranco Ravasi and several members of the Freemasons, an organization where Giulio Occhionero belonged as grand master in a Roman chapter. At least 1,700 of the attacks appear to have been successful.
Police investigations netted email passwords, 1,137 credentials for compromised PCs and a trove of 87GB of data spread across a network of several command-and-control and backup servers and computers in Italy and the U.S.
The Italian Postal Police obtained assistance from the FBI in seizing and monitoring the U.S. portion of the server infrastructure. Giulio Occhionero has a master’s degree in nuclear engineering, is a founder of the Malta-based quantitative financial analysis firm Westlands Securities, and is also a software developer with several certifications. He allegedly modified and developed new features for the Pyramid Eye malware and maintained the network of servers and mailboxes used to collect exfiltrated data.
An ongoing analysis of the Pyramid Eye malware, connected domain names, IP addresses, and mailboxes used in the scheme has been published, in English, by Trend Micro Senior Threat Researcher Federico Maggi. A company blog post has details on the malware’s code.
Elements in the code, such as the MailBee.NET.dll library license key that Occhionero acquired in his own name from the U.S.-based software developer Afterlogic, as well as C&C server IP addresses shared by websites publicly connected to him, allowed Italian police to identify and put him under close surveillance last August.
During the surveillance, Occhionero was probably informed about the ongoing investigation and started deleting data on his servers. The activity, however, was closely observed by police, probably using a state-controlled Trojan: The arrest order lists screenshots and WhatsApp chats as sources, and this type of evidence cannot be obtained with simple communications eavesdropping, noted computer forensics expert Matteo Flora, in a Vlog.
The combination of an industrial-scale surveillance network operating across international borders for years, along with amateurish blunders — like the use of a personally licensed Dll to develop malware and shared IPs for both legitimate and criminal activities — is one of the most puzzling aspects of the case. Other questions have arisen as well: How could the two suspects, with possibly limited hacking skills, carry on a massive espionage operation on high-profile government targets without being detected for at least four years?
The real purpose and potential accomplices or mastermind of the criminal activity are still unknown. Judge Maria Paola Tommaselli, who charged the two siblings for felonies such as abusive intrusion in computer systems, abusive eavesdropping, and procurement of information regarding national security, is implying other people may be involved.
Four of the email addresses used for data exfiltration were linked to a criminal case in 2011, in which a covert and potentially subversive organization was creating dossiers on politicians and managers. Giulio and Francesca Maria Occhionero also are members of the board in a construction company linked to an investigation of organized crime activities in Rome.
Judging by the targets, mostly in financial and Freemason environments, the two probably wanted to use the obtained information to gain insider information for Westland Securities’ business and raise Giulio Occhionero’s profile in the Freemasons. Giulio and Francesca Maria Occhionero’s lawyers denied any wrongdoing, asserting that the server network was only used for business purposes.
Andrea Grassi is the editor of Computerworld Italy. You can follow him on Twitter (@andreagrassi) or connect via LinkedIn.