Charles Harvey Eccleston, 62, a former employee of the U.S. Department of Energy (DoE) and the U.S. Nuclear Regulatory Commission (NRC), was recently charged with involvement in an attempted spear phishing attack in January of this year targeting dozens of DoE employee email accounts.
Eccleston, who moved to the Philippines after he was fired from his job at the NRC in 2010, was detained by Philippine authorities on March 27, 2015, and deported to the U.S. He will remain detained until a hearing scheduled for May 20, 2015.
He allegedly approached an unidentified foreign embassy with an offer to provide classified information from the U.S. government, after which he allegedly met with undercover FBI employees posing as representives of that foreign country. During that meeting, in exchange for future payment, Eccleston allegedly offered to design and send spear phishing emails targeting the DoE.
Although Eccleston then sent phishing emails to over 80 DoE computers in January 2015, Acting U.S. Attorney Vincent H. Cohen, Jr., said in a statement, "Thanks to an innovative operation by the FBI, no malicious code was actually transmitted to government computers."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Eccleston has been charged with four felony offenses, including one count of wire fraud and three counts of crimes involving unauthorized access of computers.
"As alleged in the indictment, Eccleston sought to compromise, exploit and damage U.S. government computer systems that contained sensitive nuclear weapon-related information with the intent to allow foreign nations to gain access to that material," Assistant Attorney General for National Security John P. Carlin said in a statement. "We must continue to evolve our efforts and capabilities to confront cyber enabled threats and aggressively detect, disrupt and deter them."
Spikes Security CMO Franklyn Jones told eSecurity Planet by email that the incident serves as an important reminder of how targeted, personal, and compelling spear phishing attacks can be. "If 10 employees are targeted, chances are good that at least one might click on a link that initiates delivery of malicious Web content," he said. "Once that happens, the attacker wins and the organization loses."
And STEALTHbits strategy and research officer Jonathan Sander said it's worth noting how much the arrest sounds like a typical bust on Law & Order. "We're used to the image of the cybercriminal being the hacker in a hoodie sitting in front of five screens full of green code and chugging Red Bull, but this was an older man who was simply using his knowledge of email addresses to target and for what to say that would fly under the radar," he said. "A couple of FBI guys went in and posed as criminals, pretended to collude with him, and got him to incriminate himself."
"The 'cyber' in cybercrime, like most technology today, is simply becoming the way things get done in business -- even if the business is espionage," Sander added.