Full Report
A federal jury on Thursday convicted an Alexandria man of conspiring with his twin brother to delete approximately 96 federal government databases after the pair were fired from a contractor that served more than 45 federal agencies. Sohaib Akhter, 34, was found guilty of conspiracy to commit computer fraud, password trafficking and possession of a…
Analysis Summary
# Incident Report: Insider Retaliation and Federal Database Deletion
## Executive Summary
Two former employees of a Washington D.C.-based software contractor conspired to compromise user accounts and systematically delete 96 federal government databases following their termination. The incident involved the trafficking of plaintext passwords and unauthorized database queries, affecting over 45 federal agencies. Both individuals have since been convicted in federal court for conspiracy to commit computer fraud and password trafficking.
## Incident Details
- **Discovery Date:** Not specifically disclosed (Legal proceedings concluded May 2026)
- **Incident Date:** Began February 1, 2025 (Database deletions followed termination)
- **Affected Organization:** Unnamed Washington D.C. software contractor
- **Sector:** Government Contracting / Information Technology
- **Geography:** Northern Virginia / Washington D.C., USA
## Timeline of Events
### Initial Access
- **Date/Time:** February 1, 2025
- **Vector:** Valid Internal Credentials / Insider Access
- **Details:** While still employed/authorized, Sohaib Akhter utilized his administrative access to run a database query to retrieve the plaintext password of an EEOC complainant.
### Lateral Movement
- The attackers leveraged the stolen plaintext password to gain unauthorized access to the victim's personal email account, moving from corporate internal systems to private citizen data.
### Data Exfiltration/Impact
- After being terminated from the contracting firm, the pair accessed the company’s hosting servers in Ashburn, VA, to delete approximately 96 federal government databases serving 45+ agencies.
### Detection & Response
- **Discovery:** Precise detection method not listed, but likely discovered through system unavailability and subsequent forensic audit of server logs.
- **Response Actions:** Federal investigation led by the U.S. Attorney’s Office for the Eastern District of Virginia; criminal prosecution and conviction of both subjects.
## Attack Methodology
- **Initial Access:** Abuse of legitimate administrative privileges.
- **Persistence:** Utilization of compromised credentials post-termination.
- **Privilege Escalation:** Performing unauthorized database queries to extract plaintext credentials of other users.
- **Defense Evasion:** Not specified, though the use of a brother as a proxy for requests suggests an attempt to obfuscate intent.
- **Credential Access:** Password trafficking; extracting plaintext passwords from an EEOC portal database.
- **Discovery:** Internal database reconnaissance.
- **Lateral Movement:** Pivoting from federal contractor systems to individual email accounts.
- **Impact:** Administrative deletion of 96 production databases.
## Impact Assessment
- **Financial:** Significant costs associated with incident response, forensic recovery for 45 agencies, and legal prosecution.
- **Data Breach:** Compromise of EEOC complainant data and plaintext credentials.
- **Operational:** Massive disruption to 45 federal agencies due to the loss of 96 databases.
- **Reputational:** Severe impact on the contractor's standing with the federal government; loss of public trust in the EEOC portal’s security.
## Indicators of Compromise
- **Behavioral indicators:**
- Unauthorized SQL queries targeting credential tables.
- Post-termination logins from known former employee personas/locations.
- Mass deletion commands executed on production databases.
## Response Actions
- **Containment:** Revocation of access (though notably delayed or bypassable in this instance).
- **Eradication:** Investigation into the scope of the "password trafficking" between the two brothers.
- **Recovery:** Restoration of 96 databases from backups (if available).
- **Legal:** Federal jury conviction; Sohaib Akhter faces up to 21 years in prison.
## Lessons Learned
- **Credential Storage:** Plaintext passwords should never be stored in a database; hashing and salting are critical.
- **Offboarding Processes:** Termination of employees must include immediate revocation of all logical access, including remote access to hosting environments (Ashburn servers).
- **The Insider Threat:** Even trusted administrators require monitoring and "least privilege" restrictions to prevent mass data destruction.
## Recommendations
- **Implement MFA:** Enforce Multi-Factor Authentication for all administrative database queries and server log-ins.
- **Zero Trust Architecture:** Ensure that termination of employment triggers an automated "kill switch" for all federated identities.
- **Database Auditing:** Deploy real-time alerting for mass deletion events (DROP DATABASE) or sensitive table queries.
- **Encryption:** Ensure all sensitive user data and credentials are encrypted at rest.