A one-time employee of the Nuclear Regulatory Commission and Department of Energy on Monday received an 18-month prison sentence for an attempted 2015 “spear-phishing” strike against DOE email accounts, the Department of Justice said.
The sentence came just over two months after Charles Harvey Eccleston, 62, pleaded guilty in federal court in Washington, D.C., to attempted unauthorized access and intentional damage to a protected computer. As part of his plea, Eccleston acknowledging plotting to carry out a cyberattack in which DOE personnel would receive an email that appeared to be from a “trusted source,” but that would instead carry a computer virus, DOJ said.
“Eccleston’s sentence holds him accountable for his attempt to compromise, exploit and damage U.S. government computer systems that contained sensitive nuclear weapon-related information with the intent of allowing foreign nations to gain access to that information or to damage essential systems,” said Assistant Attorney General Carlin in a press release. “One of our highest priorities in the National Security Division remains protecting our national assets from cyber intrusions. We must continue to evolve and remain vigilant in our efforts and capabilities to confront cyber-enabled threats and aggressively detect, disrupt and deter them.”
The DOJ press release said Eccleston in 2013 entered a foreign embassy in the Philippines, where he was living at the time. He offered to sell for $18,800 a list containing more than 5,000 email accounts for engineers and other officials with a U.S. government energy agency. He indicated that he was willing to sell the data to China, Iran, or Venezuela if the first sale attempt failed.
This ultimately led to a months-long FBI undercover investigation in which Eccleston showed one undercover operative a list of about 5,000 email addresses he claimed were for NRC employees. In a later meeting with an undercover agent, Eccleston claimed to have 30,000 DOE personnel email accounts for DOE workers that could be used for computer strike. He subsequently “identified several dozen DOE employees whom he claimed had access to information related to nuclear weapons or nuclear materials as targets for the attack,” DOJ said.
On Jan. 15, 2015, Eccleston sent a harmless FBI-supplied link to a list of targeted email accounts, believing he would be infecting computers used by about 80 DOE workers at multiple facilities, including laboratories connected to nuclear materials, the release says.
Along with his prison sentence, Eccleston was ordered to forfeit $9,000, the amount he received from the FBI during the investigation.