Full Report
Muneeb and Sohaib Akhter previously pleaded guilty to hacking into the State Department and other cybercrimes in 2015. The post Twins with hacking history charged in insider data breach affecting multiple federal agencies appeared first on CyberScoop.
Analysis Summary
# Incident Report: Insider Sabotage Against Federal Agencies via Contractor Influence
## Executive Summary
Two former employees of a government contractor, Muneeb Akhter and Sohaib Akhter, were charged following a conspiracy to harm government agencies after their termination. The attack involved unauthorized access to data hosted by the contractor, leading to the deletion of databases, theft of information, and destruction of evidence targeting multiple federal clients, including the EEOC, DHS, and IRS. The incident spanned approximately one week in February 2025, resulting in criminal charges related to computer fraud, destruction of records, and theft of government property.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the criminal activity period suggests detection occurred shortly after February 25, 2025.
- **Incident Date:** The conspiracy and core malicious activity occurred between at least February 18, 2025, and at least February 25, 2025.
- **Affected Organization:** Company-1 (Government Contractor) and its clients: U.S. Equal Employment Opportunity Commission (EEOC), Department of Homeland Security (DHS), and Internal Revenue Service (IRS).
- **Sector:** Government Services / Information Technology Supporting Federal Agencies.
- **Geography:** Eastern District of Virginia (where the indictment was filed and the defendants resided/worked).
## Timeline of Events
### Initial Access
- **Date/Time:** Began no later than February 18, 2025 (the date of their termination from Company-1).
- **Vector:** Exploitation of pre-existing authorized access credentials maintained after termination, or unauthorized re-entry following termination.
- **Details:** Both defendants were terminated from "Company-1" on February 18, 2025. They immediately sought to retaliate against the company and its federal clients.
### Lateral Movement
- **Details:** Not fully detailed, but the actions focused on accessing and manipulating data stored on Company-1’s servers hosting client data (targeting EEOC, DHS, IRS systems).
### Data Exfiltration/Impact
- **Date/Time:** Continuing through at least February 25, 2025.
- **Details:** Defendants conspired to delete databases, steal information, and destroy evidence of their unlawful activities. This activity caused damage impacting computers used by the U.S. Government in furtherance of national defense, national security, and administration of justice.
### Detection & Response
- **How it was discovered:** Implied detection occurred shortly after February 25, 2025, leading to the filing of the criminal indictment on November 13, 2025.
- **Response actions taken:** Federal authorities (U.S. Attorney's Office) filed an indictment alleging multiple federal crimes and served forfeitures notices on the defendants' electronic devices.
## Attack Methodology (Inferred from Charges)
- **Initial Access:** Unauthorized access to protected computers following termination from their role at the contractor (Company-1).
- **Persistence:** Not explicitly detailed, but implied they maintained access during the one-week window of activity.
- **Privilege Escalation:** Seeking to cause damage that would aggregate losses exceeding $5,000 across multiple protected computers, potentially leveraging their prior contractor access levels.
- **Defense Evasion:** Destroying evidence of their unlawful activities.
- **Credential Access:** Not specified.
- **Discovery:** Not specified, but they knew which databases to target.
- **Lateral Movement:** Moving between systems hosted by Company-1 that stored data for federal agencies (EEOC, DHS, IRS).
- **Collection:** Stealing information.
- **Exfiltration:** Stealing information.
- **Impact:** Intentional damage to protected computers, deleting databases, and destroying government records.
## Impact Assessment
- **Financial:** Potential loss aggregating at least $5,000 across multiple protected computers used for federal operations (Count 1). Forfeiture of digital assets ensued.
- **Data Breach:** Theft of government information and intent to destroy/falsify federal records. Specific data volume unknown.
- **Operational:** Disruption to systems utilized by EEOC, DHS, and IRS, specifically concerning data hosted on Company-1’s servers.
- **Reputational:** Damage to the reputation of Company-1 and the involved U.S. federal agencies due to the insider attack.
## Indicators of Compromise
*Note: Given this is an indictment summary from open court filings, specific IOCs are not provided in a standard threat intelligence format. Forfeiture lists target physical devices.*
- **Network indicators:** N/A (Specific IPs/URLs not provided).
- **File indicators:** Evidence suggesting the intentional deletion/modification of databases and records.
- **Behavioral indicators:** Coordinated actions between two co-conspirators following termination to cause system damage.
## Response Actions
- **Containment:** Implied immediate termination of access for Muneeb and Sohaib Akhter on February 18, 2025, although the subsequent criminal activity suggests a lag or breach of those controls.
- **Eradication steps:** Not detailed, but the subsequent legal action (indictment) serves as a formal response.
- **Recovery actions:** Not detailed, but would involve database restoration and integrity checks across compromised systems.
**Forfeiture Actions Taken (Targeting evidence):**
- MSI laptop (S/N FN08N830910908V14)
- Apple iPhone XR (S/N FI7YFAC9KXKN, F2LY8B02KXKP)
- Google Android phone (IMEI 355984760425344)
- Samsung cell phone (IMEI 358533130160565)
- Apple iPhone 15 Pro Max (S/N FLYVONOVYl)
- MSI laptop (S/N K2102N0020599)
## Lessons Learned
- **Insider Threat Lifecycle:** The incident highlights the critical risks associated with the termination phase of an employee/contractor, where deep system knowledge is combined with potential malice.
- **Tool Use in Malice:** Attackers used an Artificial Intelligence (AI) tool to generate database commands they did not know, indicating that attackers now utilize readily available external tools to enhance sophisticated destructive capabilities.
## Recommendations
- **Immediate Offboarding Procedures:** Implement extremely rapid and verifiable revocation of *all* system access, including VPNs, contractor portals, and cloud environments, concurrent with the actual termination notification for high-privilege users.
- **Data Integrity Monitoring:** Enhance monitoring around database administration activities, mass deletions, and write-protection commands, especially originating from accounts recently terminated or showing anomalous access patterns post-termination.
- **AI Tool Monitoring:** Investigate correlating activity spikes with unusual external tool usage or research patterns if feasible, though direct blocking may be impractical. Focus on monitoring the *output* (e.g., destructive commands executed).