.jpg)
8 hours ago
1
Article content
(Bloomberg) — A software company that handles sensitive data for nearly every US federal agency was the victim of a cyber breach earlier this year due to a “major lapse” in security measures, according to documents reviewed by Bloomberg News.
THIS CONTENT IS RESERVED FOR SUBSCRIBERS ONLY
Subscribe now to read the latest news in your city and across Canada.
- Exclusive articles from Barbara Shecter, Joe O'Connor, Gabriel Friedman, and others.
- Daily content from Financial Times, the world's leading global business publication.
- Unlimited online access to read articles from Financial Post, National Post and 15 news sites across Canada with one account.
- National Post ePaper, an electronic replica of the print edition to view on any device, share and comment on.
- Daily puzzles, including the New York Times Crossword.
SUBSCRIBE TO UNLOCK MORE ARTICLES
Subscribe now to read the latest news in your city and across Canada.
- Exclusive articles from Barbara Shecter, Joe O'Connor, Gabriel Friedman and others.
- Daily content from Financial Times, the world's leading global business publication.
- Unlimited online access to read articles from Financial Post, National Post and 15 news sites across Canada with one account.
- National Post ePaper, an electronic replica of the print edition to view on any device, share and comment on.
- Daily puzzles, including the New York Times Crossword.
REGISTER / SIGN IN TO UNLOCK MORE ARTICLES
Create an account or sign in to continue with your reading experience.
- Access articles from across Canada with one account.
- Share your thoughts and join the conversation in the comments.
- Enjoy additional articles per month.
- Get email updates from your favourite authors.
THIS ARTICLE IS FREE TO READ REGISTER TO UNLOCK.
Create an account or sign in to continue with your reading experience.
- Access articles from across Canada with one account
- Share your thoughts and join the conversation in the comments
- Enjoy additional articles per month
- Get email updates from your favourite authors
Sign In or Create an Account
or
Article content
Article content
Opexus, which is owned by the private equity firm Thoma Bravo and provides software services for processing US government records, was compromised in February by two employees who’d previously been convicted of hacking into the US State Department. The findings were detailed in separate reports by Opexus and an independent cybersecurity firm, which characterized the incident as an “insider threat attack.”
Article content
Article content
The investigations found that the employees, twin brothers Muneeb and Suhaib Akhter, improperly accessed sensitive documents and compromised or deleted dozens of databases, including those that contained data from the Internal Revenue Service and the General Services Administration. The brothers have since been terminated.
Article content
By signing up you consent to receive the above newsletter from Postmedia Network Inc.
Article content
Read this week’s FOIA Files newsletter to get the inside scoop on how the Opexus breach led to the disappearance of hundreds of FOIA requests
Article content
The incident, which hasn’t been previously reported, is now being probed by the Federal Bureau of Investigation and other federal law enforcement agencies, according to five people familiar with the matter who requested anonymity because they were not authorized to discuss the case. Muneeb and Suhaib Akhter denied any wrongdoing in separate interviews with Bloomberg News.
Article content
The damage attributed to the brothers includes the destruction of more than 30 databases and the removal of more than 1,800 files related to one government project, according to the cybersecurity firm’s report. Opexus’ own investigation found that the brothers’ conduct led to an outage of two key software systems used by government agencies to process and manage their records, and in some cases a permanent loss of data.
Article content
Article content
Opexus declined to comment for this story.
Article content
The federal government processes an avalanche of electronic records every year. Opexus, which is based in Washington, is one of the largest providers of digital tools to manage the deluge. The company says it serves “over 100,000 government users and 200 public institutions in the U.S. and Canada” and helps them to “modernize government processes and workflows.” In January, Opexus merged with Casepoint, a software company that also offers tools for corporations and government agencies to process records, including those in litigation, compliance and investigative settings.
Article content
Over the past decade Opexus, which was previously known as AINS, has been awarded more than $50 million in contracts from dozens of federal agencies to handle an assortment of government records, including sensitive court documents and inspectors general investigations and audits. It specializes in helping agencies process records under the Freedom of Information Act.
Article content
The Akhter brothers
Article content
Between 2023 and 2024, Opexus hired Suhaib and Muneeb Akhter as engineers. The brothers, who grew up in Springfield, Virginia, had developed reputations as “computer prodigies,” according to a 2014 Washington Post story. They graduated from George Mason University in 2011 when they were 19, earning degrees in electrical engineering. They later received masters degrees in computer engineering and received a grant from the Defense Advanced Research Project Agency, or DARPA, to conduct cybersecurity research.
Advertisement 1
Advertisement 2
Article content
When they arrived at Opexus, they were also skilled hackers. In 2015, they pleaded guilty to federal wire fraud and hacking charges in the Eastern District of Virginia. Prosecutors said that a year earlier, while Muneeb had been working as a contractor for the Department of Homeland Security, he hacked into a cosmetics company’s website and stole thousands of customers’ credit card numbers. He and his brother used them to purchase airline tickets and book hotel reservations, and he also resold the stolen information on the dark web, the Justice Department said.
Article content
At the same time, Suhaib worked as an information technology support contractor for the State Department’s Bureau of Consular Affairs. While there, as described in a plea agreement with the Justice Department, he accessed sensitive computer systems and removed passport and visa information belonging to his friends, his former employer and even a federal law enforcement agent who was investigating his conduct. He and his brother also devised a plan to install a device at the State Department that would have provided them with unauthorized, remote access to the agency’s computer systems. Their goal was to create and sell fake passports and visas, prosecutors said in court documents.
Article content
Article content
Muneeb was sentenced to three years in prison, while Suhaib received a two-year sentence.
Article content
After getting out of prison, the brothers went back to work as developers and engineers in various capacities, according to their public work histories. Muneeb, who goes by Mickey, worked for a major bank and a defense contractor. Suhaib worked as a technical writer for a small telecom company in Virginia.
Article content
Eventually, they got hired by Opexus as engineers, roles that gave them access to a wide range of data and documents uploaded to the company’s servers. Part of their jobs entailed working on electronic case management for various agencies, including the Internal Revenue Service, Department of Energy, Defense Department and the Department of Homeland Security’s Office of Inspector General.
Article content
As part of their work they had access to two software systems: eCASE, which manages audits of government agencies and investigations into waste, fraud and abuse; and FOIAXpress, which processes and tracks public records requests, including the redacting of material protected from disclosure under federal law.
Article content
Article content
Opexus declined to comment on whether it conducted a background check on the brothers before hiring them. It’s standard for contractors who work with sensitive government data to undergo a heightened vetting process. Opexus says on its website that its platforms are certified through the GSA’s Federal Risk and Authorization Management Program, which ensures contractors “have met specific security requirements, ensuring that their cloud services are secure and reliable for government use.”
Article content
In an interview with Bloomberg, Suhaib Akhter said he was hired by Opexus on a “contingency basis with the understanding that certain security clearances” he needed “would come through.” The clearances never materialized, he said, so Opexus wound up moving him frequently from task to task.
Article content
“We did good work at Opexus,” he said.
Article content
“I don’t recall any of this stuff,” Muneeb Akhter said. “Anything I did was for work purposes. I don’t know how this can be linked to me.”
Article content
A past resurrected
Article content
Details of the brothers’ past surfaced when Suhaib Akhter was asked to work with the Office of Inspector General at the Federal Deposit Insurance Corporation, according to five people familiar with the matter. The agency that insures bank deposits uses Opexus’s eCASE software to manage its audits and investigations.
Article content
Because the role would have entailed giving him unfettered access to sensitive bank and financial data, the agency required that he undergo a background check for a type of security clearance. FDIC officials learned of their criminal records and flagged the brothers as insider threats to Opexus’s chief information security officer. The FDIC declined to comment.
Article content
On Feb. 18, about a year into their Opexus tenure, the brothers were summoned into a virtual meeting with the company’s human resources officials, and terminated. But that was only the beginning.
Article content
During their meeting with human resources, Muneeb Akhter still had access to data stored on Opexus servers. He accessed an IRS database from his company issued laptop and blocked others from connecting to it, according to the independent report, which was prepared by Mandiant, a cybersecurity firm owned by Google that was hired to investigate the breach. He also accessed a GSA database and deleted it, the report says.
Article content
While still on the virtual meeting with HR, he proceeded to delete 33 other databases, including one that contained documents that held FOIA requests submitted to numerous government agencies, according to the cybersecurity report. A copy of Mandiant’s report was reviewed by Bloomberg News.
Article content
Article content
More than an hour after being fired, Muneeb Akhter inserted a USB drive into his laptop and removed 1,805 files of data related to a “custom project” for a government agency, the cybersecurity report said. (It’s unknown what the project entailed or what the files contained.) Then, his brother sent an email to dozens of federal government employees who worked with Opexus.
Article content
“Hi all, I must apologize for the abrupt message…but I have urgent news,” Suhaib Akhter wrote in a Feb. 18 email, a copy of which was reviewed by Bloomberg News. “Opexus/CasePoint hires Uncleared personnel to work with your data; I was one of these uncleared personnel. The databases are insecure, using the same username and password to be accessed by all. They fired me because some of you determined I was unfit to deal with your data, but I’m telling you there are a lot more people in that organization like me. Please heed this message.”
Article content
Dueling investigations
Article content
The ease with which the Akhters were able to access Opexus data systems during their termination meeting triggered intense investigation—inside the company and out.
Article content
Article content
In late February, Opexus emailed government workers who’d been reaching out about outages of the eCase and FOIAXpress platforms. The company said they were caused by “database deletions” carried out by “two disgruntled employees,” according to a copy of the email reviewed by Bloomberg News.
Article content
The company also prepared a “root case analysis” report, which was reviewed by Bloomberg News. It said that the Akhters retained administrative access to Opexus’ systems during the “offboarding” process.
Article content
On Feb. 24, Mandiant was retained by the law firm Kirkland & Ellis, which advised Thoma Bravo on the Opexus-Casepoint merger, to conduct an independent investigation into the Akhters’ actions.
Article content
Mandiant’s investigation didn’t turn up evidence of “malicious activities” by the Akhters beyond this incident. It did highlight “significant failures in Opexus’s cybersecurity practices.” It also said that the brothers’ conduct could be classified as a violation of the Computer, Fraud and Abuse Act.
Article content
The report noted that the tactics used by the Akhters to attack Opexus networks were “indicative of advanced persistent insider threat tactics, which are typically associated with nation state actors, suggesting that Opexus’s vulnerabilities could have broader implications for national security.”
Article content
It also took issue with how Opexus characterized the incident to its customers at various agencies. In one email, Opexus wrote that “there is no evidence that the former insiders exfiltrated sensitive customer information … or performed any other harmful actions within the Opexus network.”
Article content
In its report, Mandiant said that its own investigation discovered Muneeb Akhter’s user account had copied 1,805 files onto a USB drive—“a major lapse in security measures”—and deleted dozens of databases, which Opexus failed to disclose.
Article content
“This contradiction raises serious concerns about the integrity of Opexus’s claims and their response to the incident,” Mandiant’s report said.
Article content
Taking stock
Article content
Inspectors general at more than a dozen federal agencies have been investigating the incident, and are still trying to identify the universe of government records and data potentially accessed, copied and removed by the Akhters, according to five people familiar with the matter.
Article content
In March, Bloomberg News received several emails from government agencies in response to FOIA requests saying that any requests filed during a four-day window starting on Feb. 14 had been “lost” due to a “data failure experienced by its contractor, Opexus.” At the Export-Import Bank of the United States, the outage was even longer. The agency said in response to a FOIA request that the outage affected all FOIA requests submitted between Feb. 18 and March 18.
Article content
Article content
At least one agency, the Department of Health and Human Services, is considering canceling its contract with Opexus as a result of the company’s security failures, three people familiar with the matter told Bloomberg News.
Article content
Meanwhile, Opexus has been cooperating with the FBI, which has since expanded its probe to determine the merit of the claims in Suhaib Akhter’s email about “uncleared personnel” and unsecure databases at the company, the people familiar with the matter said.
Article content
The FBI declined to comment.
Article content
“I think the company is going to be taking a deep, hard look at who should have access to what and figure that out,” a company official said during an employee meeting at Opexus a few days after the incident, according to a recording of the meeting reviewed by Bloomberg News.
Article content
In late March, DHS agents and investigators from the FDIC’s Office of Inspector General showed up at Suhaib Akhter’s home in Virginia and his parents’ home in Texas, where Muneeb Akhter was at the time, according to Suhaib and four people familiar with the matter. They seized the brothers’ electronic devices and passports.
Article content
English (US)