A former government employee on Tuesday pleaded guilty to attempting to hack dozens of employee emails at the Department of Energy (DOE).
Charles Harvey Eccleston, 62, admitted to orchestrating a scheme that tried to lure DOE employees into clicking on malicious links in deceptive emails, a so-called “spear-phishing” attack.
Eccleston, a former DOE and Nuclear Regulatory Commission (NRC) employee, was attempting to plant a virus on the DOE computer network and expose sensitive nuclear weapon-related information to foreign governments, according to the Department of Justice (DOJ).
“Charles Harvey Eccleston is a former U.S. government employee who, motivated by greed, was thwarted in his attempt to sell information to a foreign intelligence service to enable a cyberattack against our information systems,” said Paul Abbate, assistant director in charge at the FBI's Wasington Field Office.
The FBI started tracking Eccleston in 2013 after he entered a foreign embassy in Manila and offered to sell lists containing the information of U.S. government officials, prosecutors said. He asked for $18,800 for the account details, claiming they were “top secret,” and threatening to sell the information to China, Iran or Venezuela if it was not bought.
Undercover FBI agents then started corresponding regularly with Eccleston, posing as foreign intelligence agents while the former government worker designed the spear-phishing campaign.
Eccleston sold a thumb drive with roughly 1,200 NRC employee’s emails to an undercover agent for $5,000. Later he created spear-phishing emails and offered to send them to roughly 80 DOE employees that he told FBI agents were located at laboratories with nuclear materials.
The emails never contained viruses, as the FBI had provided Eccleston with a fake malicious link.
Eccleston is charged with attempted unauthorized access and intentional damage to a protected computer, which could result in up to 10 years in prison. But under the advisory federal sentencing guidelines, Eccleston faces between 24 and 30 months in prison, and a fine of up to $95,000, the DOJ said.
“Protecting our national assets from cyber intrusions is one of our highest priorities,” said John Carlin, the DOJ’s assistant attorney general for national security.