A federal judge on Monday sentenced a former employee of the U.S. Department of Energy and U.S. Nuclear Regulatory Commission to 18 months in federal prison for plotting to help foreign governments hack the computers of American agencies.
Charles Harvey Eccleston, 62, was sentenced after pleading guilty in February to one count of attempted unauthorized access and intentional damage to a protected computer.
The former DOE scientist relocated to the Philippines in 2011 shortly after being terminated from his role with the NRC, and two years later attracted the attention of the FBI when he entered a foreign embassy in Manila and offered to sell a list containing thousands of email addresses purportedly belonging to Energy Dept. workers, according to charging documents.
When the unidentified government refused to purchase the list from Eccleston for $19,000, he reportedly said he would extend the offer to China, Iran or Venezuela, in turn prompting the Justice Department to launch a sting operation that culminated in his arrest early last year.
Undercover FBI agents eventually purchased a list of 1,200 publicly available email addresses from Eccleston in exchange for $9,000, but not before he offered to help them use the information to target DOE employees with a “spear-phishing” campaign — a hacking method in which potential victims are singled out and sent specially-crafted emails in an attempt to trick targets into installing malicious software.
Eccleston “wrote the text of the emails to appear as innocuous announcements for nuclear training and education conferences,” prosecutors said in a previously sealed indictment. Specifically, the emails contained a link titled “Conference details and registration” that Eccleston was led to believe would infect a recipient’s computer with malware once opened.
“The emails were designed to induce the recipients to click on a link which the defendant believed contained a computer virus that would allow the foreign government to infiltrate or damage the computers of the recipients. The defendant identified several dozen DOE employees whom he claimed had access to information related to nuclear weapons or nuclear materials as targets for the attack,” prosecutors said.
Eccleston was arrested in the Philippines in March 2015 and taken to the U.S. where he was initially charged with four counts, including hacking and wire fraud, which carried a maximum potential sentence of 50 years behind bars. For pleading guilty, Eccleston has been ordered to serve 18 months and pay back the $9,000 he was given by the FBI in exchange for the list of emails.
“Eccleston’s sentence holds him accountable for his attempt to compromise, exploit and damage U.S. government computer systems that contained sensitive nuclear weapon-related information with the intent of allowing foreign nations to gain access to that information or to damage essential systems,” Assistant Attorney General for National Security John P. Carlin said in a statement. “One of our highest priorities in the National Security Division remains protecting our national assets from cyber intrusions. We must continue to evolve and remain vigilant in our efforts and capabilities to confront cyber-enabled threats and aggressively detect, disrupt and deter them.”
U.S.-based security firm Symantec concluded in a report released this week that spear-phishing campaigns targeting individual employees increased 55 percent during 2015, and a separate recent study sponsored by Cloudmark, another security company, found that more than one-third of the cyberattacks waged against American and British businesses last year resulted from spear-phishing.
• Andrew Blake can be reached at ablake@washingtontimes.com.
Please read our comment policy before commenting.