One of the longstanding mysteries about a hack that exposed profiles of 21.5 million national security personnel and their relatives appears to be solved.
Contractor CyTech did not, despite claims by company CEO Ben Cotton, discover the attack, during a product demonstration April 21, 2015, a top House Democrat says.
Brendan Saulsbury, an OPM contract engineer, and other OPM staff say they detected malicious activity behind the intrusion using a tool developed by a separate vendor, Cylance -- five or six days earlier.
CyTech confirmed the government's findings a week later, a House Oversight and Government Reform Committee investigation has found.
Rep. Elijah Cummings, D-Md., ranking committee Democrat, disclosed these details in a May 26 letter to the House intelligence committee.
Former OPM Director Katherine Archuleta and former OPM Chief Information Officer Donna Seymour testified last summer that OPM successfully found the intrusion -- believed by U.S. intelligence officials to be a Chinese spy operation.
The full committee has been investigating this he said-she said controversy since last July, compelling the government and contractors to produce thousands of pages of documents and conducting interviews with all parties involved.
Oversight Chairman Rep. Jason Chaffetz, R-Utah, held a January hearing to question an OPM official about the holdup and excessive redactions in documents it received involving CyTech. The Republicans on the oversight committee did not sign Thursday's letter.
CyTech "didn't detect anything that we didn't already know about," Saulsbury told congressional investigators Feb. 17, the letter states.
Malware that CyTech detected was disguised as McAfee antivirus files to fly under the radar, Cotton said. But OPM doesn't use McAfee, so those programs caught the agency's attention.
The agency called in a Homeland Security Department incident response team for assistance. The DHS Computer Emergency Readiness Team informed the committee OPM found an unknown SSL certificate on its network that was communicating with a known malicious domain, "opmsecurity.org."
Cummings said in the letter, “Claims that CyTech was responsible for first detecting the OPM data breaches are inaccurate.”
Nextgov has contacted CyTech for comment.