Phisher went after nuclear secrets from within

Two hot topics in security came to a head recently with an indictment of a former U.S. Department of Energy employee who was spearphishing dozens of his co-workers and bosses. 

The indictment alleges that Charles Harvey Eccleston, a former employee of the Department of Energy (DOE) and U.S. Nuclear Regulatory Commission sent phishing emails with a virus in the hopes that it would lead to “sensitive, nuclear weapons-related government information that Eccleston believed would be collected by a foreign country.”

Eccleston allegedly sent spearphishing emails to 80 email addresses on DOE’s network after approaching a foreign government offering to sell it nuclear secrets. Undercover FBI agents met with Eccleston, who agreed to the spearphishing campaign.

Internal threat, phishing

Phishing attacks are difficult enough to defend against. Phishers are getting better and better in making their attacks convincing, and they’re able to penetrate systems alarmingly often.

But when you add to that this phishing attack coming from an internal source, it’s even more troublesome. There’s no fake domain name needed because the email is coming from a legitimate sender, and it’s very unlikely that a co-worker sending an email or asking for information would raise red flags in any situation.

And tools like firewalls meant to block outsider attacks may not be as effective if you’re dealing with someone inside your own network who’s looking to cause harm.

Stopping insider threats

At this point, insider phishing may not be the top of your list of concerns. But it’s still an important area to consider in your security plan.

In order to limit the damage or prevent attacks:

  1. Have solid policies. Make sure users know the proper channels and methods for sharing data, in-house or externally.
  2. Warn higher-ups. Executives and their staff are the most likely target for a spearphishing attack. Make sure your training covers not only what these attacks might look like from an outsider, but also which internal messages they should be skeptical of.
  3. Evaluate personnel carefully. Background checks and references may be necessary to make sure you don’t wind up with a malicious insider on your staff.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy