A former employee of the Nuclear Regulatory Commission (NRC) has been sentenced to 18 months in prison after offering to hand over the email addresses of Energy Department employees to a foreign government for use in cyber attacks, and then trying to carry out a spear phishing campaign.
Charles Harvey Eccleston, 62, pleaded guilty in February to one count of “attempted unauthorized access and intentional damage to a protected computer,” after being arrested in the Philippines in 2015, according to the Justice Department.
He first came to the attention of the FBI in 2013 after entering a foreign embassy in Manila and offering to sell a list of over 5,000 e-mail accounts of employees of the agency, which he claimed he could get thanks to his security clearance – despite having being sacked three years earlier.
He apparently claimed that if the unnamed foreign government didn’t want the info he would try China, Iran or Venezuela.
The FBI then constructed a sting operation with undercover G-Men posing as representatives of a foreign country.
During a meeting in 2014 Eccleston then apparently offered to design and send spear-phishing e-mails that could be used in a cyber-attack to damage the computer systems of his former employee.
He sent the email to around 80 NRC employees, thinking he would be paid $80,000, but the links supplied by the FBI were, of course, benign.
“Charles Harvey Eccleston is a scientist and former government employee who was willing to betray his country and his former employer out of spite,” said District of Columbia US attorney, Channing Phillips. “His attempts to sell access to sensitive computer networks demonstrate why the government must be so vigilant to prevent cyber-attacks.”
ViaSat UK CEO, Chris McIntosh, argued the case proves that cyber threats can come from anywhere, testing IT teams to the limit to ensure data stays secure.
“This means taking a comprehensive approach to security – ensuring all sensitive information is encrypted; only those with the right authority are able to access sensitive data; new methods of protection are implemented to monitor, check and identify areas of abnormality; and that employees are security-aware and not unwittingly giving access to rogue actors,” he added.
Meanwhile, Piers Wilson, head of product management at Huntsman Security, claimed the majority of ‘insider’ threats will be much harder to spot than this one was.
“They’ll take a soft approach, abusing their access privileges to siphon off information legitimately, before doing something illegitimate with it. The most dangerous of all are the unwitting insiders; those that don’t realize their actions are leaving the organization vulnerable to a breach,” he added.
“The only way that organizations can protect themselves against these more advanced insider threats is if they’re monitoring for any suspicious or anomalous behavior taking place on their systems.”