How the OPM breach was really discovered
Nearly a year after hackers stole the personal data of more than 21 million Americans from a database at the Office of Personnel Management, lawmakers have concluded that it was an OPM contract engineer — not a tech company demo-ing its cyber-detection software — who first discovered the breach.
Rep. Elijah Cummings, D-Md., issued a letter Thursday to the House Permanent Select Committee on Intelligence with the results of the House Committee on Oversight and Government Reform’s nearly yearlong investigation into how the breaches were discovered, stating that “claims that CyTech [Services] was responsible for first detecting the OPM data breaches are inaccurate.”
A contracting engineer, Brendan Saulsbury, working in the agency’s Security Operations Center told the House Committee on Oversight and Government Reform in an interview that he first discovered the breach on April 15 or 16, 2015, five or six days before CyTech Services conducted the demo of its CyFIR tool on OPM systems. After the breach became public, some media reported that the demo had first discovered the presence of the malware hackers had used, running on the agency’s network.
CyTech “didn’t detect anything that we didn’t already know about,” Saulsbury told the committee.
Reports from the U.S.-Computer Emergency Readiness Team that OPM requested a “digital media analysis” from the team on April, 16, 2015, corroborate Saulsbury’s account, the letter says. Another interview with OPM Chief Information Security Officer Jeff Wagner backed that version of events as well.
CyTech CEO Ben Cotton told FedScoop that his company never claimed to have discovered the hack. “It’s not what we have said publicly. What we have said publicly is … that we don’t have any knowledge of what they did or didn’t know prior to us arriving on site, but on April 22, we discovered three running process in their production environment in active RAM.”
In June 2015, after news of the breaches broke, Cotton publicly stated that “Using our endpoint vulnerability assessment methodology, CyFIR quickly identified a set of unknown processes running on a limited set of endpoints. This information was immediately provided to the OPM security staff and was ultimately revealed to be malware.”
However, he added at the time: “CyTech is unaware if the OPM security staff had previously identified these processes.”
When asked during a June 2015 hearing if CyTech played a role in the discovery of the vulnerabilities, OPM’s then-Administrator Katherine Archuleta and then-CIO Donna Seymour — who both have since resigned following fallout from the hacks — testified their agency detected it a week before CyTech did.
So then, how exactly did OPM first discover the vulnerabilities? And how did CyTech get credited for it?
Saulsbury said his team noticed a “malware beaconing out to a command and control server from, at times, two different servers.” The file type is what caught his eye, because it was disguised as an antivirus file from McAfee software, which OPM doesn’t use.
“So that stood out right there to us that, at that point, I was 100 percent certain that this is malware that is beaconing out,” he told the committee on Feb. 17, 2016.
Wagner, in his interview with the committee a day later, gave more details. He said it was a different tool, from cybersecurity contractor Cylance, which OPM previously hired to enhance its security, that detected the intrusion.
On April 17, 2015, Wagner emailed CIO Seymour about his findings, reporting that Cylance was coming in to conduct forensics because it was “their tool that found the Malware,” the letter reads. It is unclear whether Cylance conducted those forensics, but a few days after Wagner’s email, CyTech demoed its tool and discovered the same vulnerabilities.
So despite detecting the beaches on its own, OPM enlisted an unaware CyTech to test drive its CyFIR product.
“We wanted to see if that tool set would also discover what we had already discovered,” Seymour said in the June hearing.
“[Q]uite frankly, what you say sounds very suspicious, that you would have brought them in, tricked them to see if they could discover it, something you have already discovered,” Rep. Michael Turner, R-Ohio, replied to Seymour.
Cotton told FedScoop they had no idea the malware was there when they installed their demo — “they did not notify us, they did not tell us about it prior to us finding those pieces of malware,” he said.
Rep. Jason Chaffetz, R-Utah — the chair of the committee and a savage critic of OPM in the wake of the breaches — did not sign on to Cummings’ letter.
Contact the reporter on this story via email at Billy.Mitchell@FedScoop.com or follow him on Twitter @BillyMitchell89. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on.
