Operation People1 - Orziveccho: the background of the espionage attack targeted the italian public administration

On 22 Novembre 2019, was arrested the cyber-criminal responsible for the PEOPLE1 - Orziveccho operation


Download Full Report PEOPLE1-Orziveccho

On 22 Novembre 2019, the Italian State Police arrested the cyber-criminal responsible for the “Orziveccho” attack, that was renamed by CNAIPIC “PEOPLE1”.

The “Orziveccho” operation was identified by TG Soft between Saturday 4th and Tuesday 7th March 2017, when was registered more spear-phishing attacks on registry services of many italian municipalities.

TG Soft published in its news page on date 06 March 2017: “Operation "Orziveccho": Italian municipalities are under attack !!!  Massive diffusion of spear phishing against italian municipalities. Who is spying Italy ?”, where was described the modus operandi used by cyber-criminal to infect the Italian municipalities.

TG Soft chose “ORZIVECCHO” as name of this operation, because it was a part of the domain name from which the malware was downloaded: www.scuolaelementarediorziveccho.191.it, it was already used for criminal activities since 2013.

This domain would had to be assigned to Orzivecchi's municipal elementary school, but for a typing error it was registered as “orziveccho” instead of “orzivecchi” and for this reason it was dropped, but instead used by the cyber criminal for its own purposes.

Orziveccho used a remote assistance program, through which it installed a keylogger to steal the municipal employees' access credentials to enter in public administration' portals. Most of the victims have been small municipalities, but in addition to these we can also include the CAF patronages, databases of the Revenue Agency, INPS, INAIL, ACI and InfoCamere.

The cyber-criminal has used various spear phishing campaigns to target and spy Italian municipalities since 2013. TG Soft's Anti-Malware Research Centre has estimated that no less than 10% of Italian Municipalities have been targeted by this Malware-Spy.

Since 2013, the cyber-criminal of "Orziveccho" started using commercial keyloggers for his espionage operations, until he reaches real cyber security experts for implementation of RAT and keyloggers.

The purpose of “Orziveccho” was to steal personal data, tax and social security positions of unsuspecting Italian private customers and companies, in order to be resold to investigation agencies through the portal "People1.info" located in Russia.

TG Soft has declassified the confidential information on the Orziveccho operation (aka PEOPLE1).

Download full report operation PEOPLE1-Orziveccho in PDF format:

Download Full Report PEOPLE1-Orziveccho

Back on top

Research Centre Anti-Malware of TG Soft 
Any information published on our site may be used and published on other websites, blogs, forums, facebook and/or in any other form both in paper and electronic form as long as the source is always and in any case cited explicitly “Source: CRAM by TG Soft www.tgsoft.it” with a clickable link to the original information and / or web page from which textual content, ideas and / or images have been extrapolated.
It will be appreciated in case of use of the information of C.R.A.M. by TG Soft www.tgsoft.it in the report of summary articles the following acknowledgment/thanks “Thanks to Anti-Malware Research Center C.R.A.M. by TG Soft of which we point out the direct link to the original information: [direct clickable link]”

Vir.IT eXplorer PRO is certified by the biggest international organisation: