Full Report
From the U.S. Department of Justice: Two Virginia men were arrested today for their roles in a conspiracy to destroy government databases hosted by a federal government contractor, among other crimes. According to court documents, brothers Muneeb and Sohaib Akhter, both 34, of Alexandria, Virginia, were indicted on Nov. 13 for conspiring to delete databases... Source
Analysis Summary
# Incident Report: Insider Conspiracy to Destroy Federal Databases
## Executive Summary
Two former federal contractors, brothers Muneeb and Sohaib Akhter, were arrested for conspiring to destroy government databases hosted by their former employer, a federal contractor. The incident involved unauthorized access, database deletion, data theft (including IRS information), and evidence tampering immediately following their termination. The primary impact was the deletion of approximately 96 government databases containing sensitive information, including FOIA and investigative files.
## Incident Details
- Discovery Date: February 18, [Year implied, based on timeline in article] (detected contemporaneously with the destructive actions during termination meetings).
- Incident Date: February 18, [Year implied, based on timeline in article].
- Affected Organization: Federal Government Contractor (Opexus, implied).
- Sector: Government Contracting / Information Technology Services.
- Geography: Alexandria, Virginia (Location of suspects/employment).
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to February 18, [Year implied].
- **Vector:** Authorized employment access as federal contractors.
- **Details:** Attackers were employees of the federal contractor.
### Actions During Termination (Implied Active Compromise & Impact)
- **Date/Time:** On or about February 18, during a virtual termination meeting with HR.
- **Vector:** Exploitation of existing authorized access via company-issued laptops.
- **Details:**
* Muneeb Akhter accessed an IRS database and prevented others from modifying it.
* Muneeb Akhter deleted a GSA database.
* Muneeb Akhter proceeded to delete 33 other databases while still in the HR meeting.
* Total deletion reached approximately 96 databases storing U.S. government information (including FOIA and investigative files).
* Muneeb Akhter asked an AI tool how to clear system logs approximately one minute after deleting a DHS database.
* Over an hour after being fired, Muneeb used a USB drive to exfiltrate 1,805 files related to a "custom project."
### Post-Termination Activities (Further Unauthorized Access & Data Theft)
- **Date/Time:** Following termination on February 18.
- **Vector:** Unauthorized access post-employment.
- **Details:**
* Muneeb Akhter accessed U.S. Equal Employment Opportunity Commission (EEOC) information without authorization.
* Muneeb Akhter stole copies of IRS information from a virtual machine, including PII of at least 450 individuals.
* The brothers discussed cleaning out their house in anticipation of law enforcement search.
* Company laptops were wiped before being returned.
* Sohaib Akhter was charged with trafficking a password to access a U.S. government computer.
### Detection & Response
- **Discovery:** Actions were discovered contemporaneously by company staff/HR during the virtual termination meeting.
- **Response Actions:** Federal investigation initiated leading to indictments on November 13 (date of indictment). Response included forensic investigation by Mandiant.
## Attack Methodology
- **Initial Access:** Valid credentials/access granted via employment.
- **Persistence:** Implied use of backdoors or continued authorized access immediately post-firing. Wiping company laptops suggests an attempt to destroy evidence of persistence mechanisms.
- **Privilege Escalation:** Not explicitly detailed, but implied by the level of access necessary to delete core databases and access EEOC/IRS data.
- **Defense Evasion:** Attempted deletion of system logs (via AI consultation) and wiping company laptops.
- **Credential Access:** Sohaib Akhter allegedly trafficked a password for government computer access.
- **Discovery:** Accessing and identifying high-value databases (IRS, GSA, FOIA records).
- **Lateral Movement:** Movement between various government databases hosted by the contractor.
- **Collection:** Stealing IRS data (450+ records) and 1,805 project files via USB.
- **Exfiltration:** Data transfer via USB drive; unauthorized access to EEOC data.
- **Impact:** Deletion of databases, theft of PII, and destruction of evidence.
## Impact Assessment
- **Financial:** Potential costs associated with data recovery, regulatory fines, and investigation (not quantified in the source).
- **Data Breach:** Loss of sensitive U.S. government information, including Freedom of Information Act (FOIA) records, sensitive investigative files, and PII of at least 450 individuals from the IRS.
- **Operational:** Significant disruption to government data management processes related to the compromised databases.
- **Reputational:** Damage to the federal government contractor (Opexus) and compromised public trust in the security of federal contractor environments.
## Indicators of Compromise
*Note: As this summary derives from an indictment and initial reporting, specific IoCs are limited.*
- **Network Indicators:** Unauthorized connections to, or modification commands issued against, government databases hosted on the contractor’s systems.
- **File Indicators:** Wiped company laptops; 1,805 files related to a “custom project” exfiltrated via USB.
- **Behavioral Indicators:** Immediate and mass deletion of databases concurrent with employee termination; consultation with AI regarding log clearing immediately following data destruction.
## Response Actions
- **Containment:** Termination of employment for the implicated individuals (which was the catalyst for discovering the ongoing attack).
- **Eradication:** Investigation conducted by third-party forensic firm (Mandiant); law enforcement investigation utilizing FDIC OIG, DHS OIG, and Homeland Security Investigations.
- **Recovery:** Not detailed, but implied restoration of 96 deleted databases and securing all potentially compromised systems.
## Lessons Learned
- **Insider Threat Program Failure:** The most critical failure was the hiring and retention of individuals, both of whom were previously convicted felons, by a federal contractor managing sensitive government data.
- **Termination Procedures:** Access controls were not adequately revoked *prior* to or concurrent with the termination meeting, allowing destructive actions (deletions, data theft) to occur in real-time.
- **Logging and Monitoring:** Attackers attempted to cover their tracks (AI query on log clearing), suggesting existing access logging/alerting was insufficient or bypassed.
## Recommendations
- Implement immediate and automated Revocation of Access (Zero Trust principle) upon initiation of involuntary termination procedures, ensuring system access is severed before the personnel are notified.
- Conduct enhanced, mandatory, and ongoing background vetting—beyond standard requirements—for all personnel (including contractors) handling systems containing federal data, especially concerning candidates with prior felony convictions.
- Enhance audit log monitoring specific to high-privilege actions (e.g., mass database deletion commands, attempts to clear logs) with real-time alerting thresholds.
- Review and mandate immediate control over contractor-issued hardware during off-boarding to prevent exfiltration via removable media (USB).