This follows a court appearance on May 8 where the District Court of Colombia ordered that Eccleston remained detained until a hearing on May 20.
The U.S Department of Energy has a mission statement that includes protecting the United States and ensuring prosperity by “addressing energy, environmental and nuclear challenges” (2).
This includes controlling, maintaining and advancing the country’s energy systems, including lighting, heating and bringing in more renewable energy.
With regards to nuclear energy, the department is also responsible for security and defense as well as developing the associated technology.
Eccleston, an employee of the Department of Energy and U.S Nuclear Regulatory Commission until 2010, is accused of using a spear phishing campaign to spread a virus through the Department of Energy’s computer network and extract sensitive information about nuclear weapons which he intended to sell to a foreign country (1).
How the FBI Foiled the Plot
Eccleston, 62, had lived in the Philippines since 2011 (3) after being fired from the Nuclear Regulatory Commission for “conduct and performance issues” (4). Obviously the man was somewhat bitter about the way his employment ended and decided to use the knowledge he had gained from the job to line his pockets and seek revenge.
He approached a foreign embassy and offered them highly classified U.S nuclear secrets in return for payment. When he met with representatives of the country, which hasn’t been revealed, what he didn’t know was that they were undercover FBI agents.
Unaware he was part of an FBI sting operation, Eccleston proposed to send emails composed as conference invitations to 80 ex-colleagues from the U.S Department of Energy (3). These emails would contain malware which would break through the network security and retrieve classified nuclear information.
The undercover agents promised to pay Eccleston for the plan and gave him the malware code, which of course did no harm whatsoever. But once the emails had been sent, there was enough evidence to arrest and charge Eccleston with felony offences, including unauthorized access to computers and wire fraud.
Eccleston was deported back to the U.S in March. If found guilty, he is looking at a potential 50 years in prison (3).
Are You Vulnerable to a Spear Phishing Attack?
In short, yes. Anyone can become a victim of an email spear phishing attack.
Unlike the normal phishing, spam email you may have received, spear phishing emails supposedly come from people or businesses that you trust, such as your bank.
For spear phishing to be successful, the person sending the emails needs to know about you. This can be gained from identity theft, the Internet or, in the case of Charles Eccleston, being a former employee or associate. By doing this they gain a list of email addresses and the personal names of the people who use those addresses. If people see their own name or the name of someone they trust on the email, they’re more likely to click without thinking.
While anyone can receive a spear phishing email, it’s easy to protect yourself against them. Be suspicious of any email that requires urgent action or for you to click a link, as this could lead to malware being installed on your device.
Instead, go directly to the supposed business’s website by entering the usual web address into your web browser. If your bank emails you saying something needs to be checked, it’ll be there if you make your own way to the website rather than clicking on the link provided.
And under no circumstances should you email out account details or passwords.
Charles Eccleston is not the first person to attempt to retrieve sensitive information through spear phishing attacks, or to be caught in an FBI sting, and he probably won’t be the last.
The FBI claims it is continually updating its practices to keep up with cyber threats and criminals, and if this case is an example of this, the U.S can rest assured that no top secrets will be leaked and sold without the FBI knowing.