Former U.S. Nuclear Regulatory Commission Employee Pleads Guilty to Attempted Spear-Phishing Cyber-Attack on Department of Energy Computers
There’s a follow-up to a case I first noted in May of 2015.
Charles Harvey Eccleston, 62, a former employee of the U.S. Department of Energy (DOE) and the U.S. Nuclear Regulatory Commission (NRC), pleaded guilty yesterday to a federal offense stemming from an attempted e-mail “spear-phishing” attack in January 2015 that targeted dozens of DOE employee e-mail accounts.
The guilty plea was announced by Assistant Attorney General for National Security John P. Carlin, U.S. Attorney Channing D. Phillips of the District of Columbia and Assistant Director in Charge Paul M. Abbate of the FBI’s Washington Field Office.
Eccleston pleaded guilty in the U.S. District Court for the District of Columbia to one count of attempted unauthorized access and intentional damage to a protected computer. In his guilty plea, Eccleston admitted scheming to cause damage to the computer network of the DOE through e-mails that he believed would deliver a computer virus to particular employees. An e-mail spear-phishing attack involves crafting a convincing e-mail for selected recipients that appears to be from a trusted source and that, when opened, infects the recipient’s computer with a virus.
“Eccleston admitted that he attempted to compromise, exploit and damage U.S. government computer systems that contained sensitive nuclear weapon-related information with the intent of allowing foreign nations to gain access to that information or to damage essential systems,” said Assistant Attorney General Carlin. “Protecting our national assets from cyber intrusions is one of our highest priorities. We must continue to evolve and remain vigilant in our efforts and capabilities to confront cyber-enabled threats and aggressively detect, disrupt and deter them.”
“This prosecution underscores our commitment to prosecute those who carry out or plan cyber-attacks against our government, whether they are in the United States or in remote locations overseas,” said U.S. Attorney Phillips. “Thanks to the work of the FBI, this former federal employee was arrested before he could do any damage and he now is being held accountable for actions that could have threatened our national security.”
“Charles Harvey Eccleston is a former U.S. Government employee who, motivated by greed, was thwarted in his attempt to sell information to a foreign intelligence service to enable a cyber-attack against our information systems,” said Assistant Director in Charge Abbate. “Today’s guilty plea is a testament to the dedication of the FBI and prosecutorial team, along with our federal and foreign partners, to relentlessly pursue and bring to justice an individual who sought to misuse his position to betray the country.”
Eccleston, a U.S. citizen who had been living in Davao City in the Philippines since 2011, was terminated from his employment at the NRC in 2010. He was detained by Philippine authorities in Manila, Philippines, on March 27, 2015, and deported to the United States to face U.S. criminal charges. He has been in custody ever since.
According to court documents, Eccleston initially came to the attention of the FBI in 2013 after he entered a foreign embassy in Manila and offered to sell a list of over 5,000 e-mail accounts of all officials, engineers and employees of a U.S. government energy agency. He said that he was able to retrieve this information because he was an employee of a U.S. government agency, held a top secret security clearance and had access to the agency’s network. He asked for $18,800 for the accounts, stating they were “top secret.” When asked what he would do if that foreign country was not interested in obtaining the U.S. government information the defendant was offering, the defendant stated he would offer the information to China, Iran or Venezuela, as he believed these countries would be interested in the information.
Thereafter, Eccleston met and corresponded with FBI undercover employees who were posing as representatives of the foreign country. During a meeting on Nov. 7, 2013, he showed one of the undercover employees a list of approximately 5,000 e-mail addresses that he said belonged to NRC employees. He offered to sell the information for $23,000 and said it could be used to insert a virus onto NRC computers, which could allow the foreign country access to agency information or could be used to otherwise shut down the NRC’s servers. The undercover employee agreed to purchase a thumb drive containing approximately 1,200 e-mail addresses of NRC employees; an analysis later determined that these e-mail addresses were publicly available. The undercover employee provided Eccleston with $5,000 in exchange for the e-mail addresses and an additional $2,000 for travel expenses.
Over the next several months, Eccleston corresponded regularly by e-mail with the undercover employees. A follow-up meeting with a second undercover employee took place on June 24, 2014, in which Eccleston was paid $2,000 to cover travel-related expenses. During this meeting, Eccleston discussed having a list of 30,000 e-mail accounts of DOE employees. He offered to design and send spear-phishing e-mails that could be used in a cyber-attack to damage the computer systems used by his former employer.
Over the next several months, the defendant identified specific conferences related to nuclear energy to use as a lure for the cyber-attack, then drafted emails advertising the conference. The emails were designed to induce the recipients to click on a link which the defendant believed contained a computer virus that would allow the foreign government to infiltrate or damage the computers of the recipients. The defendant identified several dozen DOE employees whom he claimed had access to information related to nuclear weapons or nuclear materials as targets for the attack.
On Jan. 15, 2015, Eccleston sent the e-mails he drafted to the targets he had identified. The e-mail contained the link supplied by the FBI undercover employee which Eccleston believed contained a computer virus, but was, in fact, inert. Altogether, the defendant sent the e-mail he believed to be infected to approximately 80 DOE employees located at various facilities throughout the country, including laboratories associated with nuclear materials.
Eccleston was detained after a meeting with the FBI undercover employee, during which Eccleston believed he would be paid approximately $80,000 for sending the e-mails.
The charge of attempted unauthorized access and intentional damage to a protected computer carries a maximum sentence of 10 years in prison and potential financial penalties. Under the advisory federal sentencing guidelines, Eccleston faces a prison term of 24 to 30 months and a fine of up to $95,000. Sentencing before U.S. District Judge Randolph D. Moss of the District of Columbia is scheduled for April 18, 2016.
The investigation was conducted by the FBI’s Washington Field Office with assistance from the NRC and DOE. The case is being prosecuted by Assistant U.S. Attorney Thomas A. Gillice of the District of Columbia and Trial Attorney Julie A. Edelstein of the National Security Division’s Counterintelligence and Export Control Section. Trial Attorney Scott Ferber of the National Security Division’s Counterintelligence and Export Control Section assisted in the investigation of this matter. The Department of Justice’s Office of International Affairs and the government of the Philippines also provided significant assistance.
SOURCE: Department of Justice