Former high school teacher used Elcomsoft software in 'Celebgate' hack

The U.S. Attorney for the Eastern District of Virginia said Christopher Brannan, 31, of Richmond pleaded guilty to unauthorized access to a protected computer and aggravated identity theft, crimes punishable by a maximum seven years in prison.

According to court documents, Brannan, a former teacher at Lee-Davis High School, gained unauthorized access to iCloud backups, personal photographs and other data by answering email account security questions using information gleaned from Facebook.

Brannan also used typical phishing schemes to obtain username and password information for target accounts. Specifically, email messages resembling legitimate correspondence from Apple security personnel were sent to victims in a bid to gain access to their internet accounts.

Unlike previous "Celebgate" hackers who relied mainly on first-party tools and internet clients to access target iCloud accounts, Brannan also utilized third-party products from Elcomsoft. The specialized forensics software was employed to download entire iCloud accounts from Apple servers, which were subsequently combed through for private photographs and video, including nude photos.

Whether Brannan disseminated the ill-gotten goods to other individuals, or merely stockpiled the content for personal use, is unknown at this time.

In 2014, a cache of nude photos and video belonging to prominent entertainment industry figures circulated through the dark web before making its way into the public sphere via file sharing protocols like BitTorrent.

Dubbed "Celebgate," the incident was incorrectly blamed on an iCloud security breach. Apple denied the claims and further investigation revealed the images were procured through simple social engineering.

Brannan was charged in April and is due for sentencing on Jan. 25, 2019. Parties involved in the case have entered a non-binding recommendation that he be jailed for 34 months.

A number of hackers have been named, charged and sentenced as a result of an FBI investigation into the scandal. Last year, an Illinois man was sentenced to 9 months in prison for a phishing attack targeting more than 300 iCloud and Gmail accounts. Prior to that, a Pennsylvania man was sentenced to 18 months in prison for accessing 50 iCloud accounts and 72 Gmail accounts.

Most recently, a Connecticut man was in August sentenced to eight months in prison, followed by three years of supervised release, for instigating a phishing attack on more than 200 iCloud accounts.