Andrew James Miller, a 23-year-old resident of Devon, Pennsylvania, was arrested on Thursday and charged with one count of conspiracy, two counts of computer fraud, and one count of access device fraud, according to a statement issued by the Justice Department's Criminal Division.
Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology
Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.Join Now
According to the indictment, between 2008 and 2011, Miller and others allegedly remotely hacked into computer networks belonging to RNK Telecommunications Inc., a Massachusetts company; Crispin Porter and Bogusky Inc., a Colorado advertising agency; the University of Massachusetts; the U.S. Department of Energy; and other institutions and companies.
The indictment alleges that when Miller hacked into the computers, he obtained other users' access credentials to the compromised computers. He and his co-conspirators then allegedly sold access to these computer networks as well as other access credentials.
After gaining unauthorized access to these systems, Miller is alleged to have installed Trojan horse programs that gave him access to the networks which he and his co-conspitrators sold online.Miller and his co-conspirators were discovered after they attempted to sell access to the victim networks to an undercover FBI agent.
The indictment details an IRC conversation between Miller and an undercover agent in which Miller exchanges access to RNK's servers and a list of hundreds of user names and passwords for two payments of $500.00. Payment was to be made to Andrew Miller of Lancaster, PA, via Western Union.
Miller later requested two payments of $600 via Western Union in exchange for a U-Mass database dump and $1,000.00 for access to CPB Group. At one point, Miller attempted to sell the FBI access to a supercomputer belonging to the DoE's National Energy Research Scientific Computing Center for $50,000.
Miller faces up to five years in prison for the conspiracy count and one of the computer fraud counts, and up to 10 years in prison on one of the computer fraud counts and the access device fraud count, to be followed by three years of supervised release, a $250,000 fine and restitution, if convicted.