recommended reading

The Puzzle of When the OPM Hack Was Discovered Might Not be Solved After All

OPM headquarters

OPM headquarters // Mark Van Scyoc/

Story has been updated.

A probe into who discovered a years-long hack into background checks on U.S. national security workers might not be case closed after all. 

Security vendor CyTech now claims that during an April 21, 2015, product demonstration, its technology uncovered, for the first time, malware siphoning off the data. 

This allegation seems at odds with the side of the story that Oversight and Government Reform Committee ranking Democrat Rep. Elijah Cummings, D-Md., revealed last week in a letter to the House intelligence panel. 

Staff at the hacked agency, the Office of Personnel Management, already had discovered the malware using a tool from another contractor, Cylance, on April 15, 2015, Cummings said. 

There seems to be a disagreement over what the definition of "discover" is.

CyTech CEO Ben Cotton says, "I’ve been on [site at] a lot of breaches, and it is extremely rare that you would allow malware to continue to exist inside of your organization for a full week after you discovered it’s there." The three pieces of malware were "actively executing in RAM" memory, he added.

Those programs were later confirmed to be the malware that caused the breach of millions of records on Americans who had applied for clearances to handle U.S. secrets, Cotton said.

There is a nuance here. CyTech officials have never said they were the first to discover malicious processes on the OPM network. No one has disputed that OPM found an unknown SSL certificate on its network that was communicating with a malicious domain, ""

But CyTech seems to question who should be credited with discovering the actual compromise of data. 

Cotton says, if a government employee sees "something that you think is out of the ordinary on the 15th and it’s a packet of information going to a domain that you don’t know about, does that you mean you discovered the breach?"

CyTech provided the government with forensic evidence -- memory images, hard drive images, event logs and registry entries -- that Cylance did not have the capability to obtain, according to CyTech. 

According to Cummings' letter, CyTech had not detected anything the government did not already know about and only confirmed OPM’s findings. 

For almost a year, the full committee has been investigating the agency’s delay in detecting the attack, which began as early as 2013. 

Republicans on the oversight committee did not sign Cummings' May 26 letter. 

The GOP members plan to release a more comprehensive report on the OPM incident in June, a committee staffer told Nextgov on background. It is expected the report will dig deeper into the timeline of the data breach, said an individual involved in the probe, who is not authorized to speak publicly about the matter. 

Nextgov has requested comment from Cummings and OPM. Cylance referred to the Cummings letter in response to questions.

Threatwatch Alert

Network intrusion

Florida’s Concealed Carry Permit Holders Names Exposed

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.