A brother-and-sister team, Giulio and Francesca Maria Occhionero, suspected of conducting an ambitious, years-long hacking campaign targeting thousands of accounts belonging to some of Italy’s leading political and business figures, have been linked to Malta.
The motive behind the sprawling campaign, which carried Masonic overtones, remains a mystery, but those in the duo’s cross hairs included Matteo Renzi when he was Italian premier, European Central Bank chief Mario Draghi and much of the cream of Italy’s elite.
Giulio Occhionero co-founded a boutique Rome investment firm named Westlands Securities SpA, according to his LinkedIn profile and a former employee of the company who did not want to be identified in connection with the investigation.
Roberto Di Legami, former director of the Polizia Postale, the Italian police division which specialises in combating cyber crime, said that investigators think the firm might have been set up largely as a cover for criminal activities, although evidence suggests that Westlands Securities also provided legitimate financial services, including advice on construction at a southern Italian port, along with some dealings in stocks and bonds.
Giulio Occhionero was the main force in the duo, drawing on his background as an engineer — he has a degree in nuclear engineering — as well as formidable talent as a quantitative analyst, the police official said.
Francesca Maria Occhionero, whose LinkedIn page shows she served as Westland Securities’ managing director, mainly helped with logistical support, Di Legami said.
According to Italian investigations and media reports, Westlands Securities, meanwhile, is administered by a Maltese company – International Company Services Limited — and one of its directors a certain John Galea. The firm, based in Ta’ Xbiex, appears to be yet another fiduciary firm that has found itself on the wrong side of the law and it is most likely only a matter of time before its involvement in the goings-on come to further light.
In the meantime, the Occhionero siblings were arrested in Italy on Monday and are being detained.
“In the eight months we have been investigating, we haven’t registered any evidence of extortion or attempts (use hacked data) to obtain influence,” Di Legami told The Associated Press in a telephone interview this week.
Police said that it was the assistance of the FBI that had helped crack the “cyber-espionage headquarters” leading to Monday’s arrests of Giulio Occhionero, 45, and his 49-year-old sister Francesca Maria Occhionero. They are being kept in isolation in two different jails in Rome, police said.
The two live in the Italian capital, where they are reportedly well known in the world of high finance. They also have a legal residence in London, where at one point they registered the securities company, Di Legami said.
Prosecutors’ requests for the arrest warrants alleged that the duo had tried to hack into Renzi’s personal email twice in June, when he was still premier, and into Draghi’s email account once in June and again in July.
A person familiar with the matter said there was no indication that any European Central Bank account had been successfully breached. The person spoke on condition of anonymity due to the sensitive nature of the matter.
Di Legami said the FBI had found the servers despite the suspect’s use of the online anonymity tool Tor to mask their electronic movements.
The FBI did not return a request seeking comment on the nature of its assistance, confirming only that it had helped with the investigation through the US Embassy in Rome.
All but one of the servers the Occhioneros had allegedly used in their scheme were located in the United States, Di Legami said. He added that until the Americans hand the servers to Italian investigators, it will not be known if any of the hacking attempts succeeded and if so, what data might have been extracted from the targeted accounts.
Police said investigators would be analyzing “an enormous mound of sequestered material” in the United States.
The motive behind the hackings was unclear, although lines of code in the software — including the English-language string “Pyramid Eye” — suggest a Masonic connection.
Giulio Occhionero was a high-ranking member of a Masonic lodge, Di Legami said.
An email sent to Giulio Occhionero’s personal address was not immediately returned; a LinkedIn message left with Francesca Maria’s account also was not returned.
Other prominent Italians whose accounts were allegedly targeted include Fabrizio Saccomanni, a former Italian economy minister who also served as a top official of Italy’s central bank; a Catholic cardinal holding Vatican posts; Mario Monti, an economist who wrestled with Italy’s financial crisis as premier from 2011 to 2013; former top officials of the Italian tax police squad; and Italian politicians from across the political spectrum.
Politicians expressed relief that a cyber-spy operation had been unmasked and demanded investigators get to the bottom of it.
“Everything must be rapidly cleared up, avoiding news leaks,” Debora Serracchiani, a top official with Renzi’s Democratic Party, said. “Certainly, a criminal plan has been uncovered upon which many hypotheses can be made.”
The alleged hacking operation came to light as Italian politics are already roiled over Renzi’s stepping down as premier last month following a referendum defeat and manoeuvring ahead of likely early elections that could come this year.
Ignazio La Russa, a right-wing lawmaker who was among the cyber-spies’ targets, was quoted by the Italian news agency ANSA as saying that he did not feel anguished about information of his that may have been taken.
“A member of Parliament must be transparent. If they had asked me, I would have given them the information for free,” La Russa said.
La Russa added: “I’d be sorry, however, if they spied on my private life, entering in the accounts of my wife or children.”
Di Legami said the investigators’ big break came when a security manager at a government office dealing with computer security received an email from a law office he didn’t recognize.
Alarmed, the manager asked a security firm to trace the IP address. When the IP address didn’t match the one used by the law office, police investigators picked up the trail.
Di Legami said the hackers used sophisticated and complex malware and were able to access their victims’ networks for long periods of time, remotely harvesting emails, communications and other documents from targeted computers.
In all, the suspects allegedly obtained some 18,000 usernames and nearly 1,800 passwords.
The suspects created numerous folders to sort their targets. Among the more creatively named ones was a folder dubbed “Bros” that included persons who supposedly belong to a Masonic lodge and another folder dubbed POBU — for politicians and business — in which various individuals from high-level politics and business were listed.
Investigators moved to have the suspects arrested because of the “concrete danger” they could flee abroad, police said.