Full Report
A 34-year-old Virginia man was found guilty of conspiring to destroy dozens of government databases after getting fired from his job as a federal contractor. [...]
Analysis Summary
# Incident Report: Insider Threat Database Destruction Campaign
## Executive Summary
A former federal contractor, Sohaib Akhter, and his brother Muneeb Akhter were convicted for the unauthorized destruction of approximately 96 federal government databases. The attack was a retaliatory "insider threat" incident occurring immediately after the brothers were terminated from their positions due to the discovery of prior felony convictions. The impact included the permanent loss or disruption of sensitive investigative records across multiple federal agencies.
## Incident Details
- **Discovery Date:** February 18, 2025
- **Incident Date:** February 18, 2025
- **Affected Organization:** Multiple (45+ federal agencies; hosted by a private contracting firm)
- **Sector:** Government / Information Technology
- **Geography:** Ashburn, Virginia, USA
## Timeline of Events
### Initial Access
- **Date/Time:** February 18, 2025 (Immediately following termination meeting)
- **Vector:** Valid Internal Credentials / Remote Access
- **Details:** Using credentials that had not yet been revoked during or immediately following an online remote termination meeting, the subjects accessed the hosting environment.
### Lateral Movement
- Use of administrative privileges to move between various hosted database environments belonging to different federal agencies (e.g., DHS, FDIC).
### Data Exfiltration/Impact
- Approximately 96 government databases were wiped.
- Targeted data included sensitive investigative documents and Freedom of Information Act (FOIA) records.
- Databases were write-protected prior to deletion to prevent recovery or intervention by other administrators.
### Detection & Response
- **Detection:** Likely identified by the employer’s IT staff during or immediately after the unauthorized access as databases became unavailable.
- **Response:** Criminal investigation by the DOJ and FDIC-OIG; forensic analysis of laptops; legal prosecution.
## Attack Methodology
- **Initial Access:** Valid accounts (privileged insider access).
- **Persistence:** Not applicable; the attack was a "smash-and-grab" style destruction rather than long-term persistence.
- **Privilege Escalation:** Use of existing administrative/contractor credentials.
- **Defense Evasion:** Attempts to clear system logs; consultation with an AI assistant on log-wiping techniques; wiping company laptops before returning them.
- **Credential Access:** Theft of credentials belonging to other users (as cited by the Inspector General).
- **Discovery:** Knowledge of database architecture obtained during employment.
- **Lateral Movement:** Accessing disparate agency databases within the contractor’s hosted infrastructure.
- **Collection:** N/A (Focus was on destruction).
- **Exfiltration:** Theft of government information (specifics on exfiltration volume not disclosed, primarily data destruction).
- **Impact:** Data destruction (wiping 96 databases) and account lockout (write-protecting databases).
## Impact Assessment
- **Financial:** Not specified, but likely high due to recovery efforts and disruption of 45+ agencies.
- **Data Breach:** Destruction of sensitive investigative records and FOIA documents.
- **Operational:** Severe disruption to multiple federal agencies' data availability and investigative capabilities.
- **Reputational:** High; highlights significant gaps in the vetting process for sensitive government contractors.
## Indicators of Compromise
- **Network indicators:** Rapid series of unauthorized logins from terminated contractor accounts to production database servers.
- **File indicators:** Massive deletion of database files; modifications to database permissions (write-protecting).
- **Behavioral indicators:** Inquiries to AI assistants regarding the clearing of system logs; physical "cleaning" of residence to hide evidence.
## Response Actions
- **Containment:** Revocation of access credentials (delayed).
- **Eradication:** Forensic imaging of returned company laptops.
- **Recovery:** Restoration of databases from backups (where available).
## Lessons Learned
- **Offboarding Procedures:** Access should be terminated *prior* to or *simultaneously* with the notification of firing, especially for high-risk individuals or those with administrative privileges.
- **Vetting Failures:** The subjects were able to obtain federal contract positions despite prior felony convictions for hacking the State Department.
- **Privileged Access Management (PAM):** Lack of "just-in-time" access or sufficient monitoring allowed for the rapid deletion of nearly 100 databases without immediate intervention.
## Recommendations
- **Automated Offboarding:** Implement automated workflows that disable VPN, SSO, and database access the moment HR triggers a termination.
- **Enhanced Background Screening:** Strengthen the "continuous evaluation" aspect of personnel security to identify prior criminal records of contractors.
- **Immutable Backups:** Ensure the use of write-once-read-many (WORM) storage for critical government databases to prevent even administrators from permanently deleting data.
- **AI Monitoring:** Monitor organization-owned AI tools for queries related to "clearing logs" or "evading forensics."