recommended reading

The Puzzle of When the OPM Hack Was Discovered Might Not be Solved After All

OPM headquarters

OPM headquarters // Mark Van Scyoc/

Story has been updated.

A probe into who discovered a years-long hack into background checks on U.S. national security workers might not be case closed after all. 

Security vendor CyTech now claims that during an April 21, 2015, product demonstration, its technology uncovered, for the first time, malware siphoning off the data. 

This allegation seems at odds with the side of the story that Oversight and Government Reform Committee ranking Democrat Rep. Elijah Cummings, D-Md., revealed last week in a letter to the House intelligence panel. 

Staff at the hacked agency, the Office of Personnel Management, already had discovered the malware using a tool from another contractor, Cylance, on April 15, 2015, Cummings said. 

There seems to be a disagreement over what the definition of "discover" is.

CyTech CEO Ben Cotton says, "I’ve been on [site at] a lot of breaches, and it is extremely rare that you would allow malware to continue to exist inside of your organization for a full week after you discovered it’s there." The three pieces of malware were "actively executing in RAM" memory, he added.

Those programs were later confirmed to be the malware that caused the breach of millions of records on Americans who had applied for clearances to handle U.S. secrets, Cotton said.

There is a nuance here. CyTech officials have never said they were the first to discover malicious processes on the OPM network. No one has disputed that OPM found an unknown SSL certificate on its network that was communicating with a malicious domain, ""

But CyTech seems to question who should be credited with discovering the actual compromise of data. 

Cotton says, if a government employee sees "something that you think is out of the ordinary on the 15th and it’s a packet of information going to a domain that you don’t know about, does that you mean you discovered the breach?"

CyTech provided the government with forensic evidence -- memory images, hard drive images, event logs and registry entries -- that Cylance did not have the capability to obtain, according to CyTech. 

According to Cummings' letter, CyTech had not detected anything the government did not already know about and only confirmed OPM’s findings. 

For almost a year, the full committee has been investigating the agency’s delay in detecting the attack, which began as early as 2013. 

Republicans on the oversight committee did not sign Cummings' May 26 letter. 

The GOP members plan to release a more comprehensive report on the OPM incident in June, a committee staffer told Nextgov on background. It is expected the report will dig deeper into the timeline of the data breach, said an individual involved in the probe, who is not authorized to speak publicly about the matter. 

Nextgov has requested comment from Cummings and OPM. Cylance referred to the Cummings letter in response to questions.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.