A software program firm that handles delicate knowledge for almost each US federal company was the sufferer of a cyber breach earlier this 12 months resulting from a “main lapse” in safety measures, in response to paperwork reviewed by Bloomberg Information.
Opexus, which is owned by the personal fairness agency Thoma Bravo and offers software program companies for processing US authorities data, was compromised in February by two workers who’d beforehand been convicted of hacking into the US State Division. The findings had been detailed in separate reviews by Opexus and an impartial cybersecurity agency, which characterised the incident as an “insider menace assault.”
The investigations discovered that the staff, twin brothers Muneeb and Suhaib Akhter, improperly accessed delicate paperwork and compromised or deleted dozens of databases, together with people who contained knowledge from the Inner Income Service and the Basic Companies Administration. The brothers have since been terminated.
The incident, which hasn’t been beforehand reported, is now being probed by the Federal Bureau of Investigation and different federal regulation enforcement businesses, in response to 5 folks aware of the matter who requested anonymity as a result of they weren’t approved to debate the case. Muneeb and Suhaib Akhter denied any wrongdoing in separate interviews with Bloomberg Information.
The harm attributed to the brothers contains the destruction of greater than 30 databases and the removing of greater than 1,800 recordsdata associated to 1 authorities mission, in response to the cybersecurity agency’s report. Opexus’ personal investigation discovered that the brothers’ conduct led to an outage of two key software program programs utilized by authorities businesses to course of and handle their data, and in some circumstances a everlasting lack of knowledge.
Opexus declined to remark for this story.
The federal authorities processes an avalanche of digital data yearly. Opexus, which is predicated in Washington, is without doubt one of the largest suppliers of digital instruments to handle the deluge. The corporate says it serves “over 100,000 authorities customers and 200 public establishments within the U.S. and Canada” and helps them to “modernize authorities processes and workflows.” In January, Opexus merged with Casepoint, a software program firm that additionally presents instruments for firms and authorities businesses to course of data, together with these in litigation, compliance and investigative settings.
Over the previous decade Opexus, which was beforehand referred to as AINS, has been awarded greater than $50 million in contracts from dozens of federal businesses to deal with an assortment of presidency data, together with delicate courtroom paperwork and inspectors common investigations and audits. It makes a speciality of serving to businesses course of data underneath the Freedom of Info Act.
The Akhter brothers
Between 2023 and 2024, Opexus employed Suhaib and Muneeb Akhter as engineers. The brothers, who grew up in Springfield, Virginia, had developed reputations as “pc prodigies,” in response to a 2014 Washington Put up story. They graduated from George Mason College in 2011 after they had been 19, incomes levels in electrical engineering. They later obtained masters levels in pc engineering and obtained a grant from the Protection Superior Analysis Undertaking Company, or DARPA, to conduct cybersecurity analysis.
Once they arrived at Opexus, they had been additionally expert hackers. In 2015, they pleaded guilty to federal wire fraud and hacking costs within the Japanese District of Virginia. Prosecutors stated {that a} 12 months earlier, whereas Muneeb had been working as a contractor for the Division of Homeland Safety, he hacked right into a cosmetics firm’s web site and stole hundreds of shoppers’ bank card numbers. He and his brother used them to buy airline tickets and e book resort reservations, and he additionally resold the stolen data on the darkish internet, the Justice Division said.
On the identical time, Suhaib labored as an data know-how help contractor for the State Division’s Bureau of Consular Affairs. Whereas there, as described in a plea settlement with the Justice Division, he accessed delicate pc programs and eliminated passport and visa data belonging to his mates, his former employer and even a federal regulation enforcement agent who was investigating his conduct. He and his brother additionally devised a plan to put in a tool on the State Division that may have supplied them with unauthorized, distant entry to the company’s pc programs. Their purpose was to create and promote faux passports and visas, prosecutors stated in court documents.
Muneeb was sentenced to 3 years in jail, whereas Suhaib obtained a two-year sentence.
After getting out of jail, the brothers went again to work as builders and engineers in numerous capacities, in response to their public work histories. Muneeb, who goes by Mickey, labored for a significant financial institution and a protection contractor. Suhaib labored as a technical author for a small telecom firm in Virginia.
Ultimately, they received employed by Opexus as engineers, roles that gave them entry to a variety of information and paperwork uploaded to the corporate’s servers. A part of their jobs entailed engaged on digital case administration for numerous businesses, together with the Inner Income Service, Division of Vitality, Protection Division and the Division of Homeland Safety’s Workplace of Inspector Basic.
As a part of their work they’d entry to 2 software program programs: eCASE, which manages audits of presidency businesses and investigations into waste, fraud and abuse; and FOIAXpress, which processes and tracks public data requests, together with the redacting of fabric protected against disclosure underneath federal regulation.
Opexus declined to touch upon whether or not it carried out a background examine on the brothers earlier than hiring them. It’s normal for contractors who work with delicate authorities knowledge to bear a heightened vetting course of. Opexus says on its web site that its platforms are licensed via the GSA’s Federal Threat and Authorization Administration Program, which ensures contractors “have met particular safety necessities, guaranteeing that their cloud companies are safe and dependable for presidency use.”
In an interview with Bloomberg, Suhaib Akhter stated he was employed by Opexus on a “contingency foundation with the understanding that sure safety clearances” he wanted “would come via.” The clearances by no means materialized, he stated, so Opexus wound up shifting him incessantly from job to job.
“We did good work at Opexus,” he stated.
“I don’t recall any of these things,” Muneeb Akhter stated. “Something I did was for work functions. I don’t understand how this may be linked to me.”
A previous resurrected
Particulars of the brothers’ previous surfaced when Suhaib Akhter was requested to work with the Workplace of Inspector Basic on the Federal Deposit Insurance coverage Company, in response to 5 folks aware of the matter. The company that insures financial institution deposits makes use of Opexus’s eCASE software program to handle its audits and investigations.
As a result of the position would have entailed giving him unfettered entry to delicate financial institution and monetary knowledge, the company required that he bear a background examine for a sort of safety clearance. FDIC officers discovered of their felony data and flagged the brothers as insider threats to Opexus’s chief data safety officer. The FDIC declined to remark.
On Feb. 18, a few 12 months into their Opexus tenure, the brothers had been summoned right into a digital assembly with the corporate’s human sources officers, and terminated. However that was solely the start.
Throughout their assembly with human sources, Muneeb Akhter nonetheless had entry to knowledge saved on Opexus servers. He accessed an IRS database from his firm issued laptop computer and blocked others from connecting to it, in response to the impartial report, which was ready by Mandiant, a cybersecurity agency owned by Google that was employed to research the breach. He additionally accessed a GSA database and deleted it, the report says.
Whereas nonetheless on the digital assembly with HR, he proceeded to delete 33 different databases, together with one which contained paperwork that held FOIA requests submitted to quite a few authorities businesses, in response to the cybersecurity report. A replica of Mandiant’s report was reviewed by Bloomberg Information.
Greater than an hour after being fired, Muneeb Akhter inserted a USB drive into his laptop computer and eliminated 1,805 recordsdata of information associated to a “customized mission” for a authorities company, the cybersecurity report stated. (It’s unknown what the mission entailed or what the recordsdata contained.) Then, his brother despatched an e-mail to dozens of federal authorities workers who labored with Opexus.
“Hello all, I have to apologize for the abrupt message…however I’ve pressing information,” Suhaib Akhter wrote in a Feb. 18 e-mail, a replica of which was reviewed by Bloomberg Information. “Opexus/CasePoint hires Uncleared personnel to work along with your knowledge; I used to be one in all these uncleared personnel. The databases are insecure, utilizing the identical username and password to be accessed by all. They fired me as a result of a few of you decided I used to be unfit to cope with your knowledge, however I’m telling you there are much more folks in that group like me. Please heed this message.”
Dueling investigations
The benefit with which the Akhters had been capable of entry Opexus knowledge programs throughout their termination assembly triggered intense investigation—inside the corporate and out.
In late February, Opexus emailed authorities employees who’d been reaching out about outages of the eCase and FOIAXpress platforms. The corporate stated they had been brought on by “database deletions” carried out by “two disgruntled workers,” in response to a replica of the e-mail reviewed by Bloomberg Information.
The corporate additionally ready a “root case evaluation” report, which was reviewed by Bloomberg Information. It stated that the Akhters retained administrative entry to Opexus’ programs in the course of the “offboarding” course of.
On Feb. 24, Mandiant was retained by the regulation agency Kirkland & Ellis, which suggested Thoma Bravo on the Opexus-Casepoint merger, to conduct an impartial investigation into the Akhters’ actions.
Mandiant’s investigation didn’t flip up proof of “malicious actions” by the Akhters past this incident. It did spotlight “important failures in Opexus’s cybersecurity practices.” It additionally stated that the brothers’ conduct may very well be categorized as a violation of the Laptop, Fraud and Abuse Act.
The report famous that the ways utilized by the Akhters to assault Opexus networks had been “indicative of superior persistent insider menace ways, that are sometimes related to nation state actors, suggesting that Opexus’s vulnerabilities may have broader implications for nationwide safety.”
It additionally took subject with how Opexus characterised the incident to its prospects at numerous businesses. In a single e-mail, Opexus wrote that “there is no such thing as a proof that the previous insiders exfiltrated delicate buyer data … or carried out some other dangerous actions inside the Opexus community.”
In its report, Mandiant stated that its personal investigation found Muneeb Akhter’s person account had copied 1,805 recordsdata onto a USB drive—”a significant lapse in safety measures”—and deleted dozens of databases, which Opexus didn’t disclose.
“This contradiction raises severe issues in regards to the integrity of Opexus’s claims and their response to the incident,” Mandiant’s report stated.
Taking inventory
Inspectors common at greater than a dozen federal businesses have been investigating the incident, and are nonetheless making an attempt to establish the universe of presidency data and knowledge probably accessed, copied and eliminated by the Akhters, in response to 5 folks aware of the matter.
In March, Bloomberg Information obtained a number of emails from authorities businesses in response to FOIA requests saying that any requests filed throughout a four-day window beginning on Feb. 14 had been “misplaced” resulting from a “knowledge failure skilled by its contractor, Opexus.” On the Export-Import Financial institution of the US, the outage was even longer. The company stated in response to a FOIA request that the outage affected all FOIA requests submitted between Feb. 18 and March 18.
At the very least one company, the Division of Well being and Human Companies, is contemplating canceling its contract with Opexus on account of the corporate’s safety failures, three folks aware of the matter advised Bloomberg Information.
In the meantime, Opexus has been cooperating with the FBI, which has since expanded its probe to find out the benefit of the claims in Suhaib Akhter’s e-mail about “uncleared personnel” and unsecure databases on the firm, the folks aware of the matter stated.
The FBI declined to remark.
“I believe the corporate goes to be taking a deep, laborious take a look at who ought to have entry to what and determine that out,” an organization official stated throughout an worker assembly at Opexus a number of days after the incident, in response to a recording of the assembly reviewed by Bloomberg Information.
In late March, DHS brokers and investigators from the FDIC’s Workplace of Inspector Basic confirmed up at Suhaib Akhter’s house in Virginia and his mother and father’ house in Texas, the place Muneeb Akhter was on the time, in response to Suhaib and 4 folks aware of the matter. They seized the brothers’ digital gadgets and passports.
Photograph: Photograph credit score: Jason Alden/Bloomberg
Copyright 2025 Bloomberg.
Subjects
Cyber
Contractors
