A former employee of the U.S. Department of Energy (DoE) has pleaded guilty to an attempted spear-phishing attack against government computers. On Tuesday, Charles Harvey Eccleston, 62, who also worked for the U.S. Nuclear Regulatory Commission (NRC) at one time, admitted his guilt in conspiring to cause damage to Department of Energy computers via a spear-phishing scheme.
A statement issued by the Department of Justice reveals that Eccleston first came to the attention of the Federal Bureau of Investigation back in 2013, when he offered to sell 5,000 emails belonging to employees of a U.S. government energy agency to a foreign embassy. He made clear at the time that if no one there was interested, he would offer the information to China, Iran, or Venezuela. After that, Eccleston met several times with FBI undercover agents posing as representatives of that foreign country. In one November 2013 meeting, the former DOE employee sold the agents 1,200 email addresses that were said to belong to NRC officials for $5,000. Those emails were later determined to be publicly available. Some months later, he agreed to design the spear-phishing emails to target 30,000 employees of the DOE. Towards that end, Eccleston crafted fake emails about specific conferences on nuclear energy as a lure to trick the employees into clicking on a malicious link that would download a virus onto their computer, which the foreign government could then use to damage or infect the DOE's computer network. The former NRC employee ultimately sent out about 80 emails to DOE employees in January of 2015. These emails contained a link supplied by the FBI agents that was inert. The FBI soon after arrested Eccleston, who believed that he would be paid $80,000 for crafting the spear-phishing emails.
“Eccleston admitted that he attempted to compromise, exploit and damage U.S. government computer systems that contained sensitive nuclear weapon-related information with the intent of allowing foreign nations to gain access to that information or to damage essential systems,” said Assistant Attorney General Carlin. “Protecting our national assets from cyber intrusions is one of our highest priorities. We must continue to evolve and remain vigilant in our efforts and capabilities to confront cyber-enabled threats and aggressively detect, disrupt and deter them.”
Eccleston pleaded guilty to one count of attempted unauthorized access and intentional damage to a protected computer. Though he could face a maximum sentence of 10 years in prison, the former DOE employee is currently facing a prison term of two years and a fine of $95,000. He is scheduled to be sentenced in a Washington, DC federal court on April 18. For tips on how you can detect a phishing email, please click here.
