The Puzzle of When the OPM Hack Was Discovered Might Not be Solved After All

Story has been updated.

A probe into who discovered a years-long hack into background checks on U.S. national security workers might not be case closed after all. 

Security vendor CyTech now claims that during an April 21, 2015, product demonstration, its technology uncovered, for the first time, malware siphoning off the data. 

This allegation seems at odds with the side of the story that Oversight and Government Reform Committee ranking Democrat Rep. Elijah Cummings, D-Md., revealed last week in a letter to the House intelligence panel. 

Staff at the hacked agency, the Office of Personnel Management, already had discovered the malware using a tool from another contractor, Cylance, on April 15, 2015, Cummings said. 

There seems to be a disagreement over what the definition of "discover" is.

CyTech CEO Ben Cotton says, "I’ve been on [site at] a lot of breaches, and it is extremely rare that you would allow malware to continue to exist inside of your organization for a full week after you discovered it’s there." The three pieces of malware were "actively executing in RAM" memory, he added.

Those programs were later confirmed to be the malware that caused the breach of millions of records on Americans who had applied for clearances to handle U.S. secrets, Cotton said.

There is a nuance here. CyTech officials have never said they were the first to discover malicious processes on the OPM network. No one has disputed that OPM found an unknown SSL certificate on its network that was communicating with a malicious domain, "opmsecurity.org."

But CyTech seems to question who should be credited with discovering the actual compromise of data. 

Cotton says, if a government employee sees "something that you think is out of the ordinary on the 15th and it’s a packet of information going to a domain that you don’t know about, does that you mean you discovered the breach?"

CyTech provided the government with forensic evidence -- memory images, hard drive images, event logs and registry entries -- that Cylance did not have the capability to obtain, according to CyTech. 

According to Cummings' letter, CyTech had not detected anything the government did not already know about and only confirmed OPM’s findings. 

For almost a year, the full committee has been investigating the agency’s delay in detecting the attack, which began as early as 2013. 

Republicans on the oversight committee did not sign Cummings' May 26 letter. 

The GOP members plan to release a more comprehensive report on the OPM incident in June, a committee staffer told Nextgov on background. It is expected the report will dig deeper into the timeline of the data breach, said an individual involved in the probe, who is not authorized to speak publicly about the matter. 

Nextgov has requested comment from Cummings and OPM. Cylance referred to the Cummings letter in response to questions.