Former US NRC employee sent spear-phishing emails to 80 other US DOE employees containing an inert virus.
Charles Harvey Eccleston, 62, has pleaded guilty to sending spear-phishing emails to US Department of Energy (DOE) and the US Nuclear Regulatory Commission (NRC) employees in an attempt to infect them with malware that could be leveraged by foreign intelligence agencies to hack into US government computers.
The whole story starts in 2010 when Eccleston was laid off from the US NRC, and moved to Davao City, Philippines, one year later, in 2011.
According to the US Department of Justice, three years later, in 2013, Eccleston entered the embassy of an unnamed country in the Manila, Philippines, and offered to sell 5,000 email accounts belonging to employees of the US DOE.
Eccleston tried to sell a list of government email addresses to a foreign state
Eccleston said he wanted $18,800 (€17,200) for the emails accounts, which he said were “top secret,” and if the embassy would not buy them, he would go to the embassies of China, Iran or Venezuela instead.
Embassy officials tipped off the FBI, who sent an undercover agent to negotiate a deal with Eccleston.
During subsequent meetings, Eccleston sold a thumb drive containing 1,200 email addresses to the undercover FBI agent for $5,000 (€4,600). This happened on November 7, 2013, and the FBI agent confirmed that most of the email addresses were publicly available.
In the same meeting when this transaction took place, Eccleston also highlighted the fact that the email list would allow attackers to infect computers with a virus that would allow a foreign country to access sensitive government information, or even shut down NRC servers.
Eccleston tries his hand at running a spear-phishing campaign
On June 24, 2014, Eccleston had a second meeting, with a different undercover agent. Eccleston said he had another 30,000 email addresses belonging to DOE employees, and even offered to craft a spear-phishing campaign to target some of the individuals on the list.
The former DOE employee selected a few individuals from his list and crafted a spear-phishing email that advertised a conference which he knew DOE employees would be interested in.
On Jan. 15, 2015, Eccleston sent 80 spear-phishing emails to his former colleagues containing an inert virus he received from the FBI agent. The emails reached individuals across the US and even laboratories associated with nuclear materials.
Philippine authorities arrested Eccleston on March 27, 2015, when he was meeting with the undercover agent to receive an $80,000 payment for his endeavor. He was later deported to the US and has now admitted his crimes.
Eccleston faces a maximum of ten years in prison and financial penalties, but because of his age and previous records, according to the advisory federal sentencing guidelines, he’s likely to receive a prison term of 24 to 30 months and a fine of up to $95,000.
The grandpa turned hacker will receive his sentence in Washington on April 18, 2016.