Skip to content
Naked Security Naked Security

Italian pair arrested over alleged hack of cardinals and masons

Pair allegedly behind EyePyramid malware that compromised thousands of accounts held

An Italian brother and sister have been arrested for spearphishing and planting a remote-access trojan/keylogger on to the computers of a veritable who’s who list of their countrymen.

Victims include two former prime ministers, the president of the European Central Bank, several cardinals, the former mayor of Turin, and several members of a Masonic lodge.

This story has a lot of evil-eye imagery.

Politico reports that the siblings were arrested last week and held in a Roman prison. They are Giulio Occhionero, 45, and Francesca Maria Occhionero, 48, and they bear a last name that translates to “black eye”.

So that’s one thing. Then too, the malware they’re accused of planting is codenamed EyePyramid: as in, that all-seeing Eye of God watching over mankind from on top of a pyramid, beaming out photon beams or rays of omnipotence or financial microwaves or whatever, that’s on the back of the US dollar bill.

Watching over the very particular activities of very specific flavors of mankind, in this case. According to researchers, EyePyramid has been used to exfiltrate more than 87 gigabytes worth of data, including usernames, passwords, browsing data, and filesystem content.

As TrendMicro posted on GitHub, that translates to 18,327 account usernames, 1,793 passwords, and a set of keystrokes stolen via keylogger.

Court documents seen by Reuters say that the stolen data was stored in servers in Prior Lake, Minnesota, and Salt Lake City, Utah.

Reuters quotes Roberto Di Legami, head of the specialized police cyber unit that conducted the EyePyramid investigation:

There were tens of thousands of email accounts hacked, and among them were accounts belonging to bankers, businessmen and even several cardinals in the Vatican.

Some of the high-profile victims, according to an arrest warrant seen by Politico:

  • Former prime ministers Matteo Renzi and Mario Monti
  • Mario Draghi, president of the European Central Bank
  • Fabrizio Saccomanni, the former deputy governor of the Bank of Italy
  • Piero Fassino, the former mayor of Turin
  • Several members of a Masonic lodge

The warrant also showed that email addresses were targeted at important corporate law firms, accounting companies, finance police officials, economy ministry officials, Vatican offices, labor unions, and even credit recovery groups.

Why Masons? Besides the eye tie-in?

According to Italian police, Giulio Occhionero was a high-ranking representative of the “Grand Orients” Masonic lodge and had been shortlisted for the office of Master Mason, as Politico reports. Police said that he was also working to set up another lodge.

Di Legami said that Italian police have no evidence that the EyePyramid hacking campaign was espionage done on behalf of foreign states. Such hacking has been getting plenty of attention in the US, as intelligence agencies have reported Russian hacking of the US presidential campaign.

Rather than nation state hacking, police believe that the motivation behind the EyePyramid hacking operation was to sweeten the chances of financial payouts.

Di Legami said that Giulio Occhionero, who’s a trained nuclear engineer and co-founder of investment firm Westland Securities, infected email accounts so that he could make “investments based on reserved information”.

Italian police began the investigation when a spearphising email arrived in the inbox of an administrator at ENAV, the Italian company in charge of air traffic control, in April 2016.

According to Reuters, there’s evidence pointing to the brother and sister team having used the malware to spy since 2010.

What led the investigators to identify the suspects was the fact that the EyePyramid malware relied on a paid library, used to build mail software, in order to exfiltrate the data out to the attackers’ email addresses.

The European Central Bank hasn’t commented on the situation, but a source familiar with the cyberattack told Politico that there’s no indication that any ECB accounts have been breached.

That’s a bit of a relief. Hopefully it’s due in no small part to ongoing training on how to avoid phishing attempts.

Speaking of which, here are some tips on how to avoid falling for the bait.


Please, can you tell us if Sophos detect this malware?


Yes. It’s actually a rather large family of malware samples that Sophos products detect and block either as Troj/MSIL-NU or as Troj/Cribz-A.

Note that the first of these malware detection names goes back to 2014, when it seems this malware first showed up, so if you want to check your logs you may need to go back a long way. As far as I can see, the delay in this becoming news was down to the investigation, given that the two suspects have only just been arrested.

(Thanks to Gabor Szappanos of SophosLabs for checking this out.)


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!