Charles Harvey Eccleston, a former employee of the U.S. Department of Energy and the U.S. Nuclear Regulatory Commission (NRC), pleaded guilty Tuesday to charges of attempting to extract sensitive, nuclear weapon-related information by hacking into his former colleagues’ computers.
According to an indictment unsealed last May, the 62-year-old tried to extract this information from computers at the Department of Energy through “spear-phishing” emails with the intent of selling this information to an unnamed foreign government.
“Eccleston admitted that he attempted to compromise, exploit and damage U.S. government computer systems that contained sensitive nuclear weapon-related information with the intent of allowing foreign nations to gain access to that information or to damage essential systems,” the U.S. Assistant Attorney General for National Security John Carlin said, in a statement released Tuesday.
A spear-phishing attack involves crafting an email that appears to be from a trusted source, and infects the recipient’s computer with a virus when opened. According to the FBI, Eccleston sent such emails to over 80 computers in January. However, no computer virus or malware was transferred to these systems, as the email link, in this case — an invitation to a scientific conference — was actually benign and supplied by an undercover FBI agent posing as a foreign intelligence official.
“This prosecution underscores our commitment to prosecute those who carry out or plan cyber-attacks against our government, whether they are in the United States or in remote locations overseas,” Channing Phillips, U.S. attorney for the District of Columbia, said in the statement. “Thanks to the work of the FBI, this former federal employee was arrested before he could do any damage and he now is being held accountable for actions that could have threatened our national security.”
Eccleston had been living in the Philippines since 2011 after he was fired from the NRC in 2010, reportedly for failing to meet the requirements of a two-year probationary period. His activities came to light during an undercover FBI operation in 2013 when he offered to design and send spear-phishing emails that could be used to damage the computer systems used by his former employer. He also went to the embassy of an unnamed foreign nation and offered to sell the information for $18,800, and said that if the embassy refused, he could turn around and offer the "top secret" information to Iran, Venezuela or China.
Eccleston, who is currently being held without bail, will be sentenced on April 18. While the charge against him carries a maximum sentence of 10 years in prison, under the terms of the plea deal, prosecutors have recommended two to two-and-a-half years and a fine of up to $95,000.