The felons are two siblings who live between Rome and London, Giulio and Francesca Maria Occhionero. He is a 45-year-old nuclear engineer, apparently affiliated with Freemasonry, while she is a 49-year-old chemist who in her late 20s became a professor of security at IRI Management (according to Giuliano Tavaroli), a passionate runner who enjoys dual Italian-American citizenship.
The pair applied an old malware dated 2008, which according to some experts is not among the top hacker tools. This malware can be leased or bought online. This malware was already used in the past in other cyber-attacks and therefore is not new to investigators. They used some domains to infect their targets, like eyepiramid.com, considered among the world’s nerds as one of the least reliable in existence; their server was trivially placed in the U.S. and not more shrewdly, in China, in Russia or in Kamchatka. And they spied on half of Italy and robbed them sensitive data for at least four years.
After months of investigations by the postal police, which started after the report of a suspicious email by an ENAV executive, the two siblings were arrested on Monday and their cyber-espionage network was dismantled.
The warrant signed by the Preliminary Investigations Judge in Rome, Maria Paola Tomaselli, presents a bleak and disturbing picture, described in the relatively simple terms of criminal action.
Over 18,000 digital profiles were cracked open, including hundreds of institutional and personal accounts robbed of sensitive data. Email accounts, computers and mobile phones of politicians, representatives of institutions and entrepreneurs were infected and controlled: from Matteo Renzi to the president of the European Central Bank Mario Draghi, from former Prime Minister Mario Monti to the former Minister of Defense Ignazio La Russa, from Monsignor Ravasi to Paolo Poletti, former Deputy Director of the AISI, the domestic intelligence agency. They hacked the former mayor of Turin Piero Fassino, former minister Fabrizio Saccomanni, the former chief of staff of the Treasury Vincenzo Fortunato, the former President of the Campania Region Stefano Caldoro, and Berlusconi followers like Fabrizio Ciccio, Capezzone, Michela Vittoria Brambilla, Paolo Bonaiuti and more.
What’s more, they hacked the domains and accounts of four ministries, the House of Representatives, the Senate, the Lombardy and Campania Regions, the City of Rome, the Italian finance police, Bocconi University, Eni, the Bank of Italy, ENAV, and more than 20 law firms, many of which specialize in administrative and commercial law.
In total, almost 2,000 usernames and passwords cataloged in 122 categories and different databases under self-explanatory names: there are the “Eyes,” that is, the accounts already infected by the two cyberspies’ botnet (a network of devices through which the malware spreads); the “bros,” the list of Masons brothers “under attention”; the “Pobù,” which would be the politicians and businessmen, and so on.
At the moment, we do not know whether there was a buyer or who that might be, to whom the information was handed or sold (logically discarding extortion as a goal). The total extent of the digital treasure amassed by the Occhionero siblings is also unknown.
“It’s a fascinating story which is missing a piece,” commented the security expert Andrea Zapparoli Manzoni. It’s not difficult to obtain a malware of this type, as explained to il manifesto by Giuliano Tavaroli, former cybersecurity expert at Pirelli and Telecom Italian Group.
Actually, Tavaroli recalls some other hacking cases: a year and a half ago, a Chinese hacker stole from the U.S. Office of Personnel Management 20 million profiles. A few weeks ago, Yahoo denounced the violation of one million of its accounts, while in Ukraine, someone even managed to shut down a nuclear power plant through malware.
So there is nothing particularly surprising in the cyberspy network dismantled by the Roman investigation nicknamed “Eye Pyramid.” Although, according to Zapparoli Manzoni, “it is one thing to buy a malware and use it today, another thing is using it for years: It means that it has been updated. Behind this story, there are bad hackers, and next are the interests of the state.” Yet, Tavaroli reminds us, there is a thriving information market, more or less legitimate, and a whole world that revolves around it. And London, where prosecutors say the siblings operated, is an important marketplace of “economic intelligence.”
“Instead of feigning surprise, we should make a political issue out of this case, and ask ourselves about the safety of our country,” Tavaroli said. “Although, as we can see, we are not the only ones on the planet to underestimate the risks associated with cybercrime put to the service of the market of information.”
He concludes: “We digitized the world, but we do not know to protect it.”