A software program firm that handles delicate knowledge for practically each US federal company was the sufferer of a cyber breach earlier this yr resulting from a “main lapse” in safety measures, in response to paperwork reviewed by Bloomberg Information.
Opexus, which is owned by the non-public fairness agency Thoma Bravo and gives software program providers for processing U.S. authorities information, was compromised in February by two staff who’d beforehand been convicted of hacking into the US State Division. The findings have been detailed in separate stories by Opexus and an unbiased cybersecurity agency. Opexus characterised the incident as an “insider menace assault.”
The investigations discovered that the workers, twin brothers Muneeb and Suhaib Akhter, improperly accessed delicate paperwork and compromised or deleted dozens of databases, together with people who contained knowledge from the Inside Income Service and the Normal Providers Administration. The brothers have since been terminated.
The incident, which hasn’t been beforehand reported, is now being probed by the Federal Bureau of Investigation and different federal legislation enforcement businesses, in response to 5 folks acquainted with the matter who requested anonymity as a result of they weren’t licensed to debate the case. Muneeb and Suhaib Akhter denied any wrongdoing in separate interviews with Bloomberg Information.
The harm attributed to the brothers contains the destruction of greater than 30 databases and the removing of greater than 1,800 information associated to 1 authorities mission, in response to the cybersecurity agency’s report. Opexus’ personal investigation discovered that the brothers’ conduct led to an outage of two key software program programs utilized by authorities businesses to course of and handle their information, and in some circumstances a everlasting lack of knowledge.
Opexus declined to remark for this story.
The federal authorities processes an avalanche of digital information yearly. Opexus, which relies in Washington, is without doubt one of the largest suppliers of digital instruments to handle the deluge. The corporate says it serves “over 100,000 authorities customers and 200 public establishments within the U.S. and Canada” and helps them to “modernize authorities processes and workflows.” In January, Opexus merged with Casepoint, a software program firm that additionally provides instruments for companies and authorities businesses to course of information, together with these in litigation, compliance and investigative settings.
Over the previous decade Opexus, which was beforehand often known as AINS, has been awarded greater than $50 million in contracts from dozens of federal businesses to deal with an assortment of presidency information, together with delicate court docket paperwork and inspectors basic investigations and audits. It makes a speciality of serving to businesses course of information below the Freedom of Info Act.
The Akhter Brothers
Between 2023 and 2024, Opexus employed Suhaib and Muneeb Akhter as engineers. The brothers, who grew up in Springfield, Virginia, had developed reputations as “laptop prodigies,” in response to a 2014 Washington Put up story. They graduated from George Mason College in 2011 after they have been 19, incomes levels in electrical engineering. They later acquired masters levels in laptop engineering and acquired a grant from the Protection Superior Analysis Venture Company, or DARPA, to conduct cybersecurity analysis.
After they arrived at Opexus, they have been additionally expert hackers. In 2015, they pleaded responsible to federal wire fraud and hacking fees within the Jap District of Virginia. Prosecutors stated {that a} yr earlier, whereas Muneeb had been working as a contractor for the Division of Homeland Safety, he hacked right into a cosmetics firm’s web site and stole 1000’s of consumers’ bank card numbers. He and his brother used them to buy airline tickets and e-book lodge reservations, and he additionally resold the stolen data on the darkish net, the Justice Division stated.
On the identical time, Suhaib labored as an data expertise help contractor for the State Division’s Bureau of Consular Affairs. Whereas there, as described in a plea settlement with the Justice Division, he accessed delicate laptop programs and eliminated passport and visa data belonging to his pals, his former employer and even a federal legislation enforcement agent who was investigating his conduct. He and his brother additionally devised a plan to put in a tool on the State Division that will have supplied them with unauthorized, distant entry to the company’s laptop programs. Their aim was to create and promote faux passports and visas, prosecutors stated in court docket paperwork.
Muneeb was sentenced to 3 years in jail, whereas Suhaib acquired a two-year sentence.
After getting out of jail, the brothers went again to work as builders and engineers in varied capacities, in response to their public work histories. Muneeb, who goes by Mickey, labored for a significant financial institution and a protection contractor. Suhaib labored as a technical author for a small telecom firm in Virginia.
Finally, they received employed by Opexus as engineers, roles that gave them entry to a variety of information and paperwork uploaded to the corporate’s servers. A part of their jobs entailed engaged on digital case administration for varied businesses, together with the Inside Income Service, Division of Vitality, Protection Division and the Division of Homeland Safety’s Workplace of Inspector Normal.
As a part of their work that they had entry to 2 software program programs: eCASE, which manages audits of presidency businesses and investigations into waste, fraud and abuse; and FOIAXpress, which processes and tracks public information requests, together with the redacting of fabric protected against disclosure below federal legislation.
Opexus declined to touch upon whether or not it carried out a background test on the brothers earlier than hiring them. It’s normal for contractors who work with delicate authorities knowledge to bear a heightened vetting course of. Opexus says on its web site that its platforms are licensed by means of the GSA’s Federal Danger and Authorization Administration Program, which ensures contractors “have met particular safety necessities, guaranteeing that their cloud providers are safe and dependable for presidency use.”
In an interview with Bloomberg, Suhaib Akhter stated he was employed by Opexus on a “contingency foundation with the understanding that sure safety clearances” he wanted “would come by means of.” The clearances by no means materialized, he stated, so Opexus wound up shifting him ceaselessly from process to process.
“We did good work at Opexus,” he stated.
“I don’t recall any of these things,” Muneeb Akhter stated. “Something I did was for work functions. I don’t understand how this may be linked to me.”
A Previous Resurrected
Particulars of the brothers’ previous surfaced when Suhaib Akhter was requested to work with the Workplace of Inspector Normal on the Federal Deposit Insurance coverage Company, in response to 5 folks acquainted with the matter. The company that insures financial institution deposits makes use of Opexus’s eCASE software program to handle its audits and investigations.
As a result of the function would have entailed giving him unfettered entry to delicate financial institution and monetary knowledge, the company required that he bear a background test for a sort of safety clearance. FDIC officers discovered of their legal information and flagged the brothers as insider threats to Opexus’s chief data safety officer. The FDIC declined to remark.
On Feb. 18, a couple of yr into their Opexus tenure, the brothers have been summoned right into a digital assembly with the corporate’s human assets officers, and terminated. However that was solely the start.
Throughout their assembly with human assets, Muneeb Akhter nonetheless had entry to knowledge saved on Opexus servers. He accessed an IRS database from his firm issued laptop computer and blocked others from connecting to it, in response to the unbiased report, which was ready by Mandiant, a cybersecurity agency owned by Google that was employed to research the breach. He additionally accessed a GSA database and deleted it, the report says.
Whereas nonetheless on the digital assembly with HR, he proceeded to delete 33 different databases, together with one which contained paperwork that held FOIA requests submitted to quite a few authorities businesses, in response to the cybersecurity report. A duplicate of Mandiant’s report was reviewed by Bloomberg Information.
Greater than an hour after being fired, Muneeb Akhter inserted a USB drive into his laptop computer and eliminated 1,805 information of information associated to a “customized mission” for a authorities company, the cybersecurity report stated. (It’s unknown what the mission entailed or what the information contained.) Then, his brother despatched an e-mail to dozens of federal authorities staff who labored with Opexus.
“Hello all, I have to apologize for the abrupt message…however I’ve pressing information,” Suhaib Akhter wrote in a Feb. 18 e-mail, a duplicate of which was reviewed by Bloomberg Information. “Opexus/CasePoint hires Uncleared personnel to work along with your knowledge; I used to be certainly one of these uncleared personnel. The databases are insecure, utilizing the identical username and password to be accessed by all. They fired me as a result of a few of you decided I used to be unfit to take care of your knowledge, however I’m telling you there are much more folks in that group like me. Please heed this message.”
Dueling Investigations
The convenience with which the Akhters have been in a position to entry Opexus knowledge programs throughout their termination assembly triggered intense investigation—inside the corporate and out.
In late February, Opexus emailed authorities staff who’d been reaching out about outages of the eCase and FOIAXpress platforms. The corporate stated they have been attributable to “database deletions” carried out by “two disgruntled staff,” in response to a duplicate of the e-mail reviewed by Bloomberg Information.
The corporate additionally ready a “root case evaluation” report, which was reviewed by Bloomberg Information. It stated that the Akhters retained administrative entry to Opexus’ programs in the course of the “offboarding” course of.
On Feb. 24, Mandiant was retained by the legislation agency Kirkland & Ellis, which suggested Thoma Bravo on the Opexus-Casepoint merger, to conduct an unbiased investigation into the Akhters’ actions.
Mandiant’s investigation didn’t flip up proof of “malicious actions” by the Akhters past this incident. Nonetheless, an evaluation of Mandiant’s investigation that was ready by cybersecurity specialists at a federal company impacted by the breach stated the probe highlighted “important failures in Opexus’s cybersecurity practices.” The evaluation, which was carried out to evaluate the severity of the assault, additionally stated that the brothers’ conduct may very well be labeled as a violation of the Laptop, Fraud and Abuse Act.
The federal government company’s evaluation famous that the ways utilized by the Akhters to assault Opexus networks have been “indicative of superior persistent insider menace ways, that are usually related to nation state actors, suggesting that Opexus’s vulnerabilities may have broader implications for nationwide safety.”
The company’s evaluation additionally took difficulty with how Opexus characterised the incident to its clients at varied businesses. In a single e-mail, Opexus wrote that “there isn’t a proof that the previous insiders exfiltrated delicate buyer data … or carried out another dangerous actions inside the Opexus community.”
In its report, Mandiant stated that its personal investigation found Muneeb Akhter’s consumer account had copied 1,805 information onto a USB drive and deleted dozens of databases. The federal government evaluation known as this a “main lapse in safety measures,” the extent of which Opexus did not disclose.
“This contradiction raises critical considerations in regards to the integrity of Opexus’s claims and their response to the incident,” the company’s evaluation concluded.
Taking Inventory
Inspectors basic at greater than a dozen federal businesses have been investigating the incident, and are nonetheless attempting to determine the universe of presidency information and knowledge doubtlessly accessed, copied and eliminated by the Akhters, in response to 5 folks acquainted with the matter.
In March, Bloomberg Information acquired a number of emails from authorities businesses in response to FOIA requests saying that any requests filed throughout a four-day window beginning on Feb. 14 had been “misplaced” resulting from a “knowledge failure skilled by its contractor, Opexus.” On the Export-Import Financial institution of the US, the outage was even longer. The company stated in response to a FOIA request that the outage affected all FOIA requests submitted between Feb. 18 and March 18.
Not less than one company, the Division of Well being and Human Providers, is contemplating canceling its contract with Opexus on account of the corporate’s safety failures, three folks acquainted with the matter instructed Bloomberg Information.
In the meantime, Opexus has been cooperating with the FBI, which has since expanded its probe to find out the benefit of the claims in Suhaib Akhter’s e-mail about “uncleared personnel” and unsecure databases on the firm, the folks acquainted with the matter stated.
The FBI declined to remark.
“I feel the corporate goes to be taking a deep, exhausting take a look at who ought to have entry to what and determine that out,” an organization official stated throughout an worker assembly at Opexus just a few days after the incident, in response to a recording of the assembly reviewed by Bloomberg Information.
In late March, DHS brokers and investigators from the FDIC’s Workplace of Inspector Normal confirmed up at Suhaib Akhter’s house in Virginia and his dad and mom’ house in Texas, the place Muneeb Akhter was on the time, in response to Suhaib and 4 folks acquainted with the matter. They seized the brothers’ digital units and passports.
Copyright 2025 Bloomberg.
