Ars Technica on a report stating the OPM hack was finally discovered while a new cyber security technology was being evaluated for potential purchase (emphasis added):
As officials of the Obama administration announced that millions of sensitive records associated with current and past federal employees and contractors had been exposed by a long-running infiltration of the networks and systems of the Office of Personnel Management on June 4, they claimed the breach had been found during a government effort to correct problems with OPM’s security. An OPM statement on the attack said that the agency discovered the breach as it had “undertaken an aggressive effort to update its cybersecurity posture.” And a DHS spokesperson told Ars that “interagency partners” were helping the OPM improve its network monitoring “through which OPM detected new malicious activity affecting its information technology systems and data in April 2015.”
Those statements may not be entirely accurate. According to a Wall Street Journal report, the breach was indeed discovered in April. But according to sources who spoke to the WSJ’s Damian Paletta and Siobhan Hughes, it was in fact discovered during a sales demonstration of a network forensics software package called CyFIR by its developer, CyTech Services. “CyTech, trying to show OPM how its cybersecurity product worked, ran a diagnostics study on OPM’s network and discovered malware was embedded on the network,” Paletta and Hughes reported.
I cannot think of a better way than this to confirm the value of a security technology. It is pretty amazing how much money OPM has spent on security after last years e-QIP breach, and yet they were still unable to uncover the hack until CyTech Services deployed CyFIR as a proof-of-concept in early April.
If this is not a stunning endorsement of CyFIR’s capabilities then I’m not sure what is. I am not entirely sure I believe this story yet.