Hack of Contractor Was at Root of Massive Federal Data Breach

pA software company that handles sensitive data for nearly every US federal agency was the victim of a cyber breach earlier this year due to a major lapse in security measures according to documents reviewed by Bloomberg NewsppOpexus which is owned by the private equity firm Thoma Bravo and provides software services for processing US government records was compromised in February by two employees whod previously been convicted of hacking into the US State Department The findings were detailed in separate reports by Opexus and an independent cybersecurity firm which characterized the incident as an insider threat attackppThe investigations found that the employees twin brothers Muneeb and Suhaib Akhter improperly accessed sensitive documents and compromised or deleted dozens of databases including those that contained data from the Internal Revenue Service and the General Services Administration The brothers have since been terminatedppThe incident which hasnt been previously reported is now being probed by the Federal Bureau of Investigation and other federal law enforcement agencies according to five people familiar with the matter who requested anonymity because they were not authorized to discuss the case Muneeb and Suhaib Akhter denied any wrongdoing in separate interviews with Bloomberg NewsppThe damage attributed to the brothers includes the destruction of more than 30 databases and the removal of more than 1800 files related to one government project according to the cybersecurity firms report Opexus own investigation found that the brothers conduct led to an outage of two key software systems used by government agencies to process and manage their records and in some cases a permanent loss of datappOpexus declined to comment for this storyppThe federal government processes an avalanche of electronic records every year Opexus which is based in Washington is one of the largest providers of digital tools to manage the deluge The company says it serves over 100000 government users and 200 public institutions in the US and Canada and helps them to modernize government processes and workflows In January Opexus merged with Casepoint a software company that also offers tools for corporations and government agencies to process records including those in litigation compliance and investigative settingsppOver the past decade Opexus which was previously known as AINS has been awarded more than 50 million in contracts from dozens of federal agencies to handle an assortment of government records including sensitive court documents and inspectors general investigations and audits It specializes in helping agencies process records under the Freedom of Information ActppThe Akhter brothersppBetween 2023 and 2024 Opexus hired Suhaib and Muneeb Akhter as engineers The brothers who grew up in Springfield Virginia had developed reputations as computer prodigies according to a 2014 Washington Post story They graduated from George Mason University in 2011 when they were 19 earning degrees in electrical engineering They later received masters degrees in computer engineering and received a grant from the Defense Advanced Research Project Agency or DARPA to conduct cybersecurity researchppWhen they arrived at Opexus they were also skilled hackers In 2015 they pleaded guilty to federal wire fraud and hacking charges in the Eastern District of Virginia Prosecutors said that a year earlier while Muneeb had been working as a contractor for the Department of Homeland Security he hacked into a cosmetics companys website and stole thousands of customers credit card numbers He and his brother used them to purchase airline tickets and book hotel reservations and he also resold the stolen information on the dark web the Justice Department saidppAt the same time Suhaib worked as an information technology support contractor for the State Departments Bureau of Consular Affairs While there as described in a plea agreement with the Justice Department he accessed sensitive computer systems and removed passport and visa information belonging to his friends his former employer and even a federal law enforcement agent who was investigating his conduct He and his brother also devised a plan to install a device at the State Department that would have provided them with unauthorized remote access to the agencys computer systems Their goal was to create and sell fake passports and visas prosecutors said in court documentsppMuneeb was sentenced to three years in prison while Suhaib received a twoyear sentenceppAfter getting out of prison the brothers went back to work as developers and engineers in various capacities according to their public work histories Muneeb who goes by Mickey worked for a major bank and a defense contractor Suhaib worked as a technical writer for a small telecom company in VirginiappEventually they got hired by Opexus as engineers roles that gave them access to a wide range of data and documents uploaded to the companys servers Part of their jobs entailed working on electronic case management for various agencies including the Internal Revenue Service Department of Energy Defense Department and the Department of Homeland Securitys Office of Inspector GeneralppAs part of their work they had access to two software systems eCASE which manages audits of government agencies and investigations into waste fraud and abuse and FOIAXpress which processes and tracks public records requests including the redacting of material protected from disclosure under federal lawppOpexus declined to comment on whether it conducted a background check on the brothers before hiring them Its standard for contractors who work with sensitive government data to undergo a heightened vetting process Opexus says on its website that its platforms are certified through the GSAs Federal Risk and Authorization Management Program which ensures contractors have met specific security requirements ensuring that their cloud services are secure and reliable for government useppIn an interview with Bloomberg Suhaib Akhter said he was hired by Opexus on a contingency basis with the understanding that certain security clearances he needed would come through The clearances never materialized he said so Opexus wound up moving him frequently from task to taskppWe did good work at Opexus he saidppI dont recall any of this stuff Muneeb Akhter said Anything I did was for work purposes I dont know how this can be linked to meppA past resurrectedppDetails of the brothers past surfaced when Suhaib Akhter was asked to work with the Office of Inspector General at the Federal Deposit Insurance Corporation according to five people familiar with the matter The agency that insures bank deposits uses Opexuss eCASE software to manage its audits and investigationsppBecause the role would have entailed giving him unfettered access to sensitive bank and financial data the agency required that he undergo a background check for a type of security clearance FDIC officials learned of their criminal records and flagged the brothers as insider threats to Opexuss chief information security officer The FDIC declined to commentppOn Feb 18 about a year into their Opexus tenure the brothers were summoned into a virtual meeting with the companys human resources officials and terminated But that was only the beginningppDuring their meeting with human resources Muneeb Akhter still had access to data stored on Opexus servers He accessed an IRS database from his company issued laptop and blocked others from connecting to it according to the independent report which was prepared by Mandiant a cybersecurity firm owned by Google that was hired to investigate the breach He also accessed a GSA database and deleted it the report saysppWhile still on the virtual meeting with HR he proceeded to delete 33 other databases including one that contained documents that held FOIA requests submitted to numerous government agencies according to the cybersecurity report A copy of Mandiants report was reviewed by Bloomberg NewsppMore than an hour after being fired Muneeb Akhter inserted a USB drive into his laptop and removed 1805 files of data related to a custom project for a government agency the cybersecurity report said Its unknown what the project entailed or what the files contained Then his brother sent an email to dozens of federal government employees who worked with OpexusppHi all I must apologize for the abrupt messagebut I have urgent news Suhaib Akhter wrote in a Feb 18 email a copy of which was reviewed by Bloomberg News OpexusCasePoint hires Uncleared personnel to work with your data I was one of these uncleared personnel The databases are insecure using the same username and password to be accessed by all They fired me because some of you determined I was unfit to deal with your data but Im telling you there are a lot more people in that organization like me Please heed this messageppDueling investigationsppThe ease with which the Akhters were able to access Opexus data systems during their termination meeting triggered intense investigationinside the company and outppIn late February Opexus emailed government workers whod been reaching out about outages of the eCase and FOIAXpress platforms The company said they were caused by database deletions carried out by two disgruntled employees according to a copy of the email reviewed by Bloomberg NewsppThe company also prepared a root case analysis report which was reviewed by Bloomberg News It said that the Akhters retained administrative access to Opexus systems during the offboarding processppOn Feb 24 Mandiant was retained by the law firm Kirkland Ellis which advised Thoma Bravo on the OpexusCasepoint merger to conduct an independent investigation into the Akhters actionsppMandiants investigation didnt turn up evidence of malicious activities by the Akhters beyond this incident It did highlight significant failures in Opexuss cybersecurity practices It also said that the brothers conduct could be classified as a violation of the Computer Fraud and Abuse ActppThe report noted that the tactics used by the Akhters to attack Opexus networks were indicative of advanced persistent insider threat tactics which are typically associated with nation state actors suggesting that Opexuss vulnerabilities could have broader implications for national securityppIt also took issue with how Opexus characterized the incident to its customers at various agencies In one email Opexus wrote that there is no evidence that the former insiders exfiltrated sensitive customer information or performed any other harmful actions within the Opexus networkppIn its report Mandiant said that its own investigation discovered Muneeb Akhters user account had copied 1805 files onto a USB drivea major lapse in security measuresand deleted dozens of databases which Opexus failed to discloseppThis contradiction raises serious concerns about the integrity of Opexuss claims and their response to the incident Mandiants report saidppTaking stockppInspectors general at more than a dozen federal agencies have been investigating the incident and are still trying to identify the universe of government records and data potentially accessed copied and removed by the Akhters according to five people familiar with the matterppIn March Bloomberg News received several emails from government agencies in response to FOIA requests saying that any requests filed during a fourday window starting on Feb 14 had been lost due to a data failure experienced by its contractor Opexus At the ExportImport Bank of the United States the outage was even longer The agency said in response to a FOIA request that the outage affected all FOIA requests submitted between Feb 18 and March 18ppAt least one agency the Department of Health and Human Services is considering canceling its contract with Opexus as a result of the companys security failures three people familiar with the matter told Bloomberg NewsppMeanwhile Opexus has been cooperating with the FBI which has since expanded its probe to determine the merit of the claims in Suhaib Akhters email about uncleared personnel and unsecure databases at the company the people familiar with the matter saidppThe FBI declined to commentppI think the company is going to be taking a deep hard look at who should have access to what and figure that out a company official said during an employee meeting at Opexus a few days after the incident according to a recording of the meeting reviewed by Bloomberg NewsppIn late March DHS agents and investigators from the FDICs Office of Inspector General showed up at Suhaib Akhters home in Virginia and his parents home in Texas where Muneeb Akhter was at the time according to Suhaib and four people familiar with the matter They seized the brothers electronic devices and passportsppPhoto Photo credit Jason AldenBloombergpp
Topics
Cyber
Contractors
ppWas this article valuableppThank you Please tell us what we can do to improve this articleppThank you of people found this article valuable Please tell us what you liked about itppHere are more articles you may enjoyppGet automatic alerts for this topicppYour email address will not be published Required fields are marked ppName ppEmail ppCommentpp



ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppNotify me of comments via emailp