Full Report
And then they asked an AI to help cover their tracks Vetting staff who handle sensitive government systems is wise, and so is cutting off their access the moment they're fired. Prosecutors say a federal contractor learned this the hard way when twin brothers previously convicted of hacking-related offenses allegedly used lingering access to delete nearly 100 government databases, including systems tied to Homeland Security and other agencies, within minutes of being terminated.…
Analysis Summary
# Incident Report: Federal Contractor Database Deletion by Terminated Employees
## Executive Summary
Two twin brothers, previously convicted of hacking-related offenses and employed as federal contractors by "Company 1" (implied to be Opexus), used lingering network access immediately following their termination to delete 96 US government databases. The brothers allegedly leveraged an AI tool to assist in executing commands to delete the databases and cover their tracks by attempting to clear system logs. The incident severely impacted government systems, including those tied to Homeland Security.
## Incident Details
- **Discovery Date:** Shortly after termination (February 18, undisclosed time, logs examined later).
- **Incident Date:** February 18 (Time incident occurred: ~16:50 UTC+0, based on termination time).
- **Affected Organization:** Federal Contractor ("Company 1," implied Opexus) and US Government agencies.
- **Sector:** Government/Federal Contractor Services.
- **Geography:** Alexandria, Virginia (based on defendants' residence).
## Timeline of Events
### Initial Access
- **Date/Time:** ~16:50 UTC (February 18).
- **Vector:** Lingering network access credentials/session following employee termination.
- **Details:** The twin brothers, Muneeb and Sohaib Akhter, were fired around 16:50. Sohaib's access (VPN, Windows account) was immediately deactivated, but Muneeb's connection to the company network remained active.
### Lateral Movement
- **Date/Time:** ~16:56 UTC (February 18).
- **Vector:** Use of active network session.
- **Details:** Muneeb allegedly accessed a government agency database. The article does not detail lateral movement across multiple systems but describes movement *into* the target database.
### Data Exfiltration/Impact
- **Date/Time:** Starting ~16:56 UTC (February 18).
- **Vector:** Direct database deletion commands.
- **Details:** Muneeb allegedly issued commands to prevent other users from connecting/modifying a database, and then deleted it. In total, 96 databases storing US government information, including Homeland Security records and FOIA-related files, were deleted. The brothers also attempted to steal information and destroy evidence.
### Detection & Response
- **Date/Time:** Post-incident (Indictment filed November 13).
- **Vector:** Internal investigation leading to federal indictment.
- **Details:** The defendants were charged with a range of crimes including computer fraud and destroying records. Response actions by the government/company focused on legal accountability and containment of the damage, with the company stating it has taken "meaningful steps to strengthen the security."
## Attack Methodology
- **Initial Access:** Exploiting residual network access post-termination due to potential failure to immediately revoke all credentials/sessions.
- **Persistence:** Maintaining an active session on the network after termination.
- **Privilege Escalation:** Not explicitly detailed; assumed to be leveraging existing contractor roles/credentials to access sensitive government databases.
- **Defense Evasion:** Promptly using an AI tool to generate commands on "how do i clear system logs from SQL servers after deleting databases" and "how do you clear all event and application logs from Microsoft windows server 2012."
- **Credential Access:** Not the primary vector, as access was based on lingering active sessions. (Note: In their 2015 crimes, they were involved in PII/credit card theft.)
- **Discovery:** Inferred, as they knew which databases to target.
- **Lateral Movement:** Executing commands within the target database environment.
- **Collection:** Implied theft of information alongside destruction.
- **Exfiltration:** Not explicitly stated, beyond stealing information.
- **Impact:** Destructive action resulting in the deletion of 96 databases.
## Impact Assessment
- **Financial:** Not quantified in the report, but the cost of recovery and contractual penalties would be significant.
- **Data Breach:** Loss/destruction of 96 government databases, including sensitive investigative files and Freedom of Information Act (FOIA) records linked to multiple federal departments, including DHS.
- **Operational:** Severe disruption to government functions relying on these archived or operational databases.
- **Reputational:** Significant reputational damage for Company 1 (the contractor) and the affected government agencies due to vetting failures and the scale of the breach.
## Indicators of Compromise
- **Network indicators (defanged):** Commands related to database deletion executed from an active terminated user session.
- **File indicators:** (None explicitly listed prior to deletion).
- **Behavioral indicators:** Immediate, unauthorized access to critical government databases within minutes of termination; subsequent utilization of AI tools for log clearing commands.
## Response Actions
- **Containment measures:** Deactivation of Sohaib's access (which succeeded); Muneeb's access was implicitly terminated after the deletion activities were detected or his session timed out/was forcibly closed.
- **Eradication steps:** Focused on data recovery and forensic analysis of commands used (including AI queries).
- **Recovery actions:** The company committed to supporting customers and taking steps to strengthen security, implying data restoration efforts were underway.
## Lessons Learned
- **Critical Failure in Off-boarding:** The primary failure was the delay/inability to immediately sever all active network sessions and revoke access credentials/VPNs for terminated employees, especially those with elevated privileges.
- **Insider Threat Risk:** The incident highlights the significant risk posed by disgruntled, previously convicted insiders immediately post-termination.
- **AI as an Attack Enabler:** Attackers are actively using AI tools to automate and refine complex malicious actions (like log clearing) when they lack specific technical knowledge.
## Recommendations
- **Immediate Session Termination:** Implement automated procedures to instantly invalidate all tokens, sessions, and VPN access for any user flagged for termination, regardless of the reason for departure.
- **Enhanced Pre-termination Vetting:** Thoroughly review the network access profiles of employees recently fired, especially if the firing relates to misconduct or security concerns.
- **AI Misuse Monitoring:** Develop detection signatures for common attack commands generated by publicly available AI models, especially when paired with subsequent malicious activity against critical systems.
- **Improve Auditing:** Ensure sufficient, immutable logging is in place for critical databases, ideally logging application-layer activity separate from server OS logs that attackers attempt to clear.