Nuclear secrets spear-phisher pleads guilty

The US penchant for listing the maximum possible prison sentences that alleged offenders might end up serving, assuming they are guilty and end up convicted, doesn’t please everyone.

Even if most offenders get nowhere near the maximum theoretical sentence, there’s something discomfiting about reading that a cybercrook could face “247 years in prison.”

Germany blocked extradition of Ercan Findikoğlu back in 2014 over a sentence of that biologically improbable length; the dispute was eventually settled and Findikoğlu was sent to face the music in the USA.

Latvia similarly blocked the extradition of Deniss Čalovskis, author of the infamous Gozi malware that stole online banking credentials, whose charge sheet officially listed his maximum penalty as 67 years.

A plea bargain was reached in which Čalovskis agreed he would do the time without the right of appeal if he was given no more than two years; he was then extradited, pleaded guilty and got a rather more modest 21 months.

The latest cybercrime-justice-done news of this sort involves Charles Harvey Eccleston, 62, who was extradited from the Philippines for trying to infect US Department of Energy (DOE) computers with malware.

Eccleston theoretically faced up to 50 years, but both sides in the case reached an agreement that a sentence of 24 to 30 months would be appropriate if Eccleston were to admit his guilt.

He did.

You can’t help but imagine it could have gone much worse for Eccleston, who had moved to the Philippines after being sacked from the US Nuclear Regulatory Commission (NRC), part of the DOE.

Eccleston apparently went on a bit of a sales drive in the Philippines, trying to find an embassy where he could sell insider information about the NRC – in two words, “nuclear secrets.”

The country to which he actually offered the information – he wanted $18,800 for his troubles – isn’t named in the Department of Justice (DOJ) press release, but he was apparently asked what he’d do if the country concerned wasn’t interested.

The answer, it seems, was that he’d try China, Iran or Venezuela instead.

The FBI was informed, and Eccleston then got his chance to sell his scheme – but to an undercover investigator.

Eccleston effectively agreed to be a “spear-phisher,” using his insider knowledge of NRC business to craft an email that he hoped would trick one or more NRC staffers into installing malware on their computers:

Over the next several months, the defendant identified specific conferences related to nuclear energy to use as a lure for the cyber-attack, then drafted emails advertising the conference. The emails were designed to induce the recipients to click on a link which the defendant believed contained a computer virus that would allow the foreign government to infiltrate or damage the computers of the recipients. The defendant identified several dozen DOE employees whom he claimed had access to information related to nuclear weapons or nuclear materials as targets for the attack.

The phishing attack didn’t work, not least because the malware link provided by the undercover investigator was, in the understated words of the DOJ, “inert.”

When Eccleston met the investigtor, hoping to collect an $80,000 payoff for the conducting the phishing expedition:

He was detained by Philippine authorities in Manila, Philippines, on March 27, 2015, and deported to the United States to face US criminal charges. He has been in custody ever since.

In the end, Eccleston’s phishing attempt ended up being little more than a penetration test for the NRC.

We’d love to know how many insiders did click the link, given the apparent relevance of the email to their research interests…

…but (quite understandably) none of the DoJ, the FBI or the NRC is saying!


How do you think your organisation would stand up to a spear-phishing attack crafted by someone who was familiar with how your business worked, and what you were interested in?

For the October 2015 Cybersecurity Awareness Month, we prepared a handy guide to help you build corporate resilience to this very insidious sort of attack.

It’s well worth a read – why not give it a try?

Image of spear fishing (the literal sort!) courtesy of Shutterstock.