The same man, named as Donald Ryan Austin by the US Attorney's Office in the Northern District of California, was also charged with gaining unauthorised access to the servers of the Linux Foundation, an organisation that employs Linux creator Linus Torvalds.
Asked for a response to the development, senior kernel developer Greg Kroah-Hartman told iTWire: "The process is not complete yet, so sorry, I do not have any comment at this point in time."
According to an official statement, Austin could face up to 40 years in jail, on four separate charges.
It said Austin, 27, was taken into custody during a traffic stop on 28 August following a four-count indictment returned by a federal grand jury in the Northern District of California on 23 June and unsealed on 30 August.
The statement said: "Austin is charged with causing damage to four servers located in the Bay Area by installing malicious software. Specifically, he is alleged to have gained unauthorised access to the four servers by using the credentials of an individual associated with the Linux Kernel Organisation.
"According to the indictment, Austin used that access to install rootkit and trojan software, as well as to make other changes to the servers. Austin is charged with four counts of intentional transmission causing damage to a protected computer..."
The indictment says Austin managed to steal the credentials of Linux kernel project chief systems administrator John Hawley and installed a rootkit and a trojan on servers which would send the credentials of anyone who logged in via SSH to him.
It lists three servers known as Odin1, Zeus1 and Pub3, all of which Austin is accused of breaching. When the Linux kernel project announced the breach, it said this had been through a server known as Hera which is not mentioned in the indictment.
The indictment also charges Austin with having connected to the personal mail server of Peter Anvin, a senior developer and a member of the Linux Foundation Technical Advisory Board.
It appears that Austin would probably have gained access to the Linux Foundation servers from Anvin's machine, though the indictment does not mention this.
It says that the breach of the Linux kernel project servers would have occurred beginning on 11 August. The project took 17 days to notice this, a fact that has been made public.