Former U.S. Nuclear Regulatory Commission Employee Charged with Attempted Spear-Phishing Cyber-Attack on Department of Energy Computers
WASHINGTON—An indictment has been unsealed charging Charles Harvey Eccleston, a former employee of the U.S. Department of Energy and the U.S. Nuclear Regulatory Commission (NRC), in connection with an attempted e-mail “spear-phishing” attack in January 2015, targeting dozens of Department of Energy employee e-mail accounts.
The indictment was announced today by Assistant Attorney General for National Security John P. Carlin, Acting U.S. Attorney Vincent H. Cohen Jr. of the District of Columbia and Assistant Director in Charge Andrew G. McCabe of the FBI’s Washington Field Office.
The indictment was unsealed, along with an earlier-filed complaint and affidavit, following Eccleston’s first appearance this afternoon in the U.S. District Court of the District of Columbia. The court ordered that he remain detained pending a hearing set for May 20, 2015.
According to the affidavit, the goal of the attack was to cause damage to the computer network of the Department of Energy through a computer virus that Eccleston believed was being delivered to particular department employees through e-mails, and to extract sensitive, nuclear weapons-related government information that Eccleston believed would be collected by a foreign country.
An e-mail spear-phishing attack involves crafting a convincing e-mail for selected recipients that appears to be from a trusted source and that, when opened, infects the recipient’s computer with a virus. Attackers may gather personal information about their target to increase their probability of success.
“Combating cyber-based threats to our national assets is one of our highest priorities,” said Assistant Attorney General Carlin. “As alleged in the indictment, Eccleston sought to compromise, exploit and damage U.S. government computer systems that contained sensitive nuclear weapon-related information with the intent to allow foreign nations to gain access to that material. We must continue to evolve our efforts and capabilities to confront cyber enabled threats and aggressively detect, disrupt and deter them. We are grateful for the tireless efforts of law enforcement in this case.”
“This former federal employee is charged with trying to launch a cyber-attack to steal sensitive information from the Department of Energy,” said Acting U.S. Attorney Cohen. “Thanks to an innovative operation by the FBI, no malicious code was actually transmitted to government computers. This prosecution demonstrates federal law enforcement’s vigorous efforts to neutralize cyber threats that put consumers, our economy, and our national security at risk.”
“Computer intrusions are among the greatest cyber threats to our national security,” said Assistant Director in Charge McCabe. “Cyber actors have become increasingly adept at exploiting our computer networks in order to exfiltrate our nation’s secrets and valuable research. As threats to the U.S. government become increasingly complex, the FBI will continue to evolve in order to counter these threats.”
Eccleston, 62, a U.S. citizen who had been living in Davos City in the Philippines since 2011, was terminated from his employment at the U.S. Nuclear Regulatory Commission in 2010. The attack targeted computers at the Department of Energy. Eccleston was detained by Philippine authorities in Manila on March 27, 2015, and deported to the United States to face U.S. criminal charges.
According to the affidavit, Eccleston initially came to the attention of the FBI after he entered a foreign embassy and offered to provide classified information, which he claimed had been taken from the U.S. government. Thereafter, Eccleston met with FBI undercover employees who were posing as representatives of the foreign country, and in exchange for a promised future payment, offered to design and send spear-phishing e-mails that could be used to damage the computer systems used by his former employer and to extract sensitive information from them.
The affidavit alleges that Eccleston sent those e-mails to over 80 Department of Energy computers in January 2015. The FBI was able to ensure that no computer virus or malicious code was actually transmitted to the government computers.
The indictment charges Eccleston with a total of four felony offenses. These include three counts of crimes involving unauthorized access of computers. Each of the crimes, as charged, is a felony punishable by a fine or imprisonment for various terms, the longest of which is ten years. The indictment also charges Eccleston with wire fraud. Such a violation is a felony punishable by a fine or imprisonment for not more than 20 years, or both. Eccleston is charged with attempted violations of the statutes because the FBI ensured that no computer virus was actually embedded in the spear-phishing e-mails.
Charges contained in an indictment are merely accusations, and the defendant is presumed innocent unless and until proven guilty.
The investigation was conducted by the FBI’s Washington Field Office with assistance from the Nuclear Regulatory Commission and Department of Energy. The prosecution is being handled by Assistant U.S. Attorney Thomas A. Gillice of the District of Columbia. Trial Attorneys Scott Ferber and Julie A. Edelstein of the Justice Department’s National Security Division assisted in this matter.
The Department of Justice expressed appreciation to the Government of the Philippines for its assistance.