Former Systems Administrator Sentenced to Prison for Hacking into Industrial Facility Computer System
BATON ROUGE, LA – United States Attorney Walt Green announced today that BRIAN P. JOHNSON, age 44, of Baton Rouge, Louisiana, has been sentenced to serve thirty-four (34) months in federal prison, as a result of his conviction for hacking into the computer system of an industrial facility to disrupt and damage its operations, in violation of Title 18, United States Code, Section 1030(a)(5)(A). Chief U.S. District Judge Brian A. Jackson ordered JOHNSON to pay restitution to Georgia-Pacific in the amount of $1,134,828, pay a $100 special assessment to the United States, and forfeit a variety of computer devices and accessories used in connection with his crime. Additionally, following his release from prison, JOHNSON will be required to serve a 3-year term of supervised release.
Georgia-Pacific is one of the world’s largest manufacturers of paper, pulp, tissue, packaging, building materials, and related chemicals. The company is headquartered in Atlanta, Georgia, and employs approximately 35,000 people in more than 200 facilities nationwide. One of Georgia-Pacific’s facilities is located in Port Hudson, Louisiana, and the Port Hudson mill operates 24 hours a day, making paper, tissue, and paper towels. JOHNSON worked for many years as the facility’s information technology (IT) specialist and systems administrator. On February 14, 2014, JOHNSON’s employment was terminated, and he was escorted from the mill. After being terminated, however, JOHNSON remotely accessed the plant’s computer system and intentionally transmitted code and commands which resulted in significant damage to Georgia-Pacific and its operations.
On February 27, 2014, the Federal Bureau of Investigation executed a search warrant at JOHNSON’s home in Zachary, Louisiana, and observed a virtual private network connection to Georgia-Pacific on JOHNSON’s computer screen. Agents lawfully seized JOHNSON’s computer, pursuant to the warrant, and a subsequent forensic examination of the computer revealed logs of JOHNSON’s February 27, 2014 intrusion into the facility’s system.
On June 25, 2015, a federal grand jury returned an indictment charging JOHNSON with intentionally damaging protected computers at Georgia-Pacific, from February 14, 2014 through February 27, 2014.
On February 4, 2016, JOHNSON pled guilty to the indictment before Chief Judge Jackson. In connection with his guilty plea, JOHNSON admitted that he had accessed the plant’s computer system and intentionally transmitted harmful code and commands to the system.
On February 15, 2017, JOHNSON appeared for sentencing. After hearing arguments from both parties, Chief Judge Jackson determined that the evidence established that JOHNSON had not only committed the February 27, 2014 intrusion, but in fact a series of intrusions, beginning shortly after his termination on February 14, 2014 and continuing through the federal search. Chief Judge Jackson also determined that JOHNSON’s criminal conduct caused a loss to Georgia-Pacific of more than $1.1 million, and JOHNSON was ordered to pay restitution for the full amount of the victim’s damages. JOHNSON was ordered to surrender to the U.S. Bureau of Prisons to begin serving his nearly three-year prison term next month.
U.S. Attorney Green stated: “This case is a powerful reminder of the very real threat and danger that businesses and individuals face from cyberattacks and other cyber-related criminal activity. Thanks to the victim’s quick response and cooperation with our office and the FBI—as well as the excellent work by the prosecutors and law enforcement agents assigned to this matter—we were able to stop Mr. Johnson’s malicious attacks and bring him to justice. The best defense to these sorts of attacks includes security, training, and continued vigilance at the facility level. However, through my office’s new Cyber Security Initiative, we have partnered with numerous federal, state, and local law enforcement agencies who have the skills and expertise to confront these threats in our district, and we will aggressively work with our partners to pursue federal criminal prosecutions whenever appropriate.”
FBI New Orleans Special Agent in Charge (SAC) Jeffrey Sallet stated: “I would like to commend the men and women of the FBI's New Orleans Division’s Cyber Squad Task Force and the U.S. Attorney’s Office in Baton Rouge for their outstanding efforts in investigating this case to the fullest extent and bringing the responsible parties to justice. Combatting cyber crime is among the FBI’s top priorities due to its evolving nature and the direct threat it poses to Louisiana infrastructure.”
United States v. Brian Johnson was investigated by the Federal Bureau of Investigation’s Cybercrimes Squad. The case is being prosecuted by Assistant U.S. Attorney M. Patricia Jones, who serves as the office’s Appellate Chief, and Assistant U.S. Attorney Ryan Crosswell.
The U.S. Attorney’s Office—Cyber Security Initiative
In early 2016, the U.S. Attorney’s Office for the Middle District of Louisiana launched a new Cyber Security Initiative. The initiative brings together resources from the U.S. Department of Justice’s Computer Crimes and Intellectual Property Section, the Federal Bureau of Investigation’s Cyber Division, the U.S. Secret Service, the U.S. Department of Homeland Security, the U.S. Department of Treasury (including both the Internal Revenue Service’s Criminal Investigations Division and the Treasury Inspector General for Tax Administration), the U.S. Department of Education, the Louisiana State Police, the East Baton Rouge Parish Sheriff’s Office, the East Baton Rouge Parish District Attorney’s Office, and other federal, state, and local agencies.
Through a newly-created law enforcement working group, the initiative assembles agents and other personnel from across Louisiana and the region to assess and share information about incoming reports of cyber incidents affecting the Middle District, and evaluate law enforcement’s response. The initiative also includes a significant investment in outreach aimed at fostering greater collaboration between private industry and law enforcement and encouraging immediate reporting of cyber incidents. Team members routinely contribute to InfraGard Louisiana, a partnership between the FBI and the private sector that works to protect critical infrastructure.
For more information about the U.S. Attorney’s Office’s Cyber Security Initiative, please contact Assistant United States Attorney Alan Stevens, who serves as a Deputy Criminal Chief within the USAO, or Assistant U.S. Attorney Ryan Rezaei, at (225) 389-0443.
For more information about InfraGard Louisiana, please contact FBI Special Agent Corey Harris at (504) 816-3145, or InfraGard Louisiana President Lester J. Millet, III, at (985) 210-7518.
To submit any information to the FBI concerning suspected internet-facilitated criminal activity, please visit the website for the FBI’s Internet Crime Complaint Center (IC3), www.ic3.gov.