Security Experts:

Italian Siblings Arrested Over Long-running Cyber Espionage Campaign

Italian siblings Giulio Occhionero and Francesca Maria Occhionero have been arrested in Rome, charged with conducting a long-running cyber espionage campaign against leading Italian politicians, businessmen and Masons.

The malware supposedly used by the duo is known as EyePyramid, possibly referencing the Eye of Providence found on the US one-dollar bill and often associated with Freemasonry. Investigators believe that the operation may have been running as early as 2010.

Giulio Occhionero is a high-ranking member of the Grand Orients Masonic lodge, and was reportedly shortlisted for the office of Master Mason. According to the arrest warrant, one of his targets was the grand master of Italy's biggest lodge -- and it would be easy to infer some form of masonic intrigue at play.

There is, however, no clear evidence of the effect or motivation behind the spying; nor the precise quantity or quality of the data stolen. Exfiltrated data was sent to and stored on servers in the US. At least two servers were used to store this data; one in Prior Lake, Minnesota, and the other in Salt Lake City, Utah. The FBI assisted the Italian authorities; have now seized the two servers; and will ship them to Italy over the next couple of weeks. 

The content will not be known until the servers have been fully examined in Italy. However, Roberto Di Legami, head of the specialized police cyber unit that conducted the Italian investigation, said Occhionero "was very obsessive in cataloguing the information."

The stolen information was carefully filed in more than 120 categories, including a folder named 'BROS' containing emails relating to a Masonic lodge, and another regarding politicians was named 'POBU' for Politicians Business. It is thought that up to 87Gb of data is stored.

According to the arrest warrant, the president of the European Central Bank, Mario Draghi, and two former Italian prime ministers, Matteo Renzi and Mario Monti, were among the victims. In all, it appears that more than 18,000 email accounts may have been compromised. Draghi's ECB account is not thought to have been compromised, and there is no evidence that any ECB account has been compromised. 

"There were tens of thousands of email accounts hacked, and among them were accounts belonging to bankers, businessmen and even several cardinals in the Vatican," Di Legami told Reuters. He added that the authorities had no evidence of any consequential extortion attempts, nor that any foreign state is involved. 

The FBI said in a statement Tuesday that the targeted victims possessed sensitive or strategic data "of particular value for those working in specific financial circles." Since the accused co-founded a London-based company, Westlands Securities, in 2001 (since dissolved), it seems possible that at least initially the spying sought 'inside' information to help in its financial advisory services. Noticeably, the Internet Archive Wayback Machine shows the Westlands website saying in 2003, "Westlands uses and [sic] advanced forecasting methodology based on Stochastic Processes and Boltzmann equations in order to forecast market movements."

The authorities' investigation into the Occhionero siblings' activities began when a phishing email was detected by an administrator at ENAV, the Italian organization in charge of air traffic control. It was reported to Italy's National Center for Cyber Crime which then opened the investigation leading to the two arrests. It is thought that the malware was delivered via poisoned PDF files attached to emails.

"It would not be surprising to find that VIPs, like Matteo Renzi, use their BYOD devices and personal e-mail and social media accounts 'on the side' while conducting official business, or engaged in speculation and gossiping surrounding their official business," comments Erka Koivunen, Chief Information Security Officer at F-Secure. "That effectively makes these 'peripheral' systems and secondary assets a valuable and sought-after target for the attackers."

Such behavior is indicative of a much wider problem. "Even if the targets had airtight security in their core systems, there will always be portion of the workforce that will continue to bypass all the preventive, detective and corrective security controls out there to the detriment of all of us. Unfortunately, some of the misbehaving ones sit at the boardroom level. That's like providing it to the aggressor on a silver plate."

Unsurprisingly, given the sparse technical information so far released, there is considerable and often conflicting speculation about the malware.

There is some initial technical analysis on GitHub and Payload Security. But there is also some wild speculation in the press -- ranging from a freemasonry plot, links to Project Sauron, and even an NSA operation. None of this is more than media speculation. However, one idea that does seem plausible is that more people are involved. There seems to be a degree of sophistication in an operation that took existing malware, updated it to avoid detection, and continued undetected for about four years. Tor was used to provide anonymity, and the stolen data was exfiltrated to a range of dropzone email accounts before being catalogued and stored, encrypted, on the two servers in America. There is more to be learned about this.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.