mu f1 T1 urn E EUHHIHES Illr of the initeh ltrates oods of rprcaentatihra CDMMITIEE 0N OVERSIGHT AND GOVERNMENT FIE 215T Havaunn House OFFICE BUILDING Wasnrnorow DC 20515 6143 llkl irl I-Ilhc hllr IW am May as 2016 The Honorable Devin None-s Chairman The Honorable r tdam Schiff Ranking Member Permanent Select Committee on Intelligence US House of Representatives 1'ti'r ashington D C 20515 Dear Chairman Nunes and Ranking Member Schiff Thank you for your letter on June 23 3015 making a referral to the Oversight Committee of claims that Services discovered last years cyber attacks against the CIch of Personnel Management before discovered them The Committee has now investigated these claims obtaining thousands of pages ofdocuments and conducting multiple transcribed interviews The evidence obtained by the Committee indicates that DPle rst discovered the intrusion into its networks not CyTech and ciaims that Cy'fech was responsible for first detecting these attacks are inaccurate Referral from Intelligence Committee to Oversight Committee Clo June 23 2015 you sent a referral letter and memorandum to the Oversight Committee relaying claims made by Cy'fech employees during a meeting with your staff on June 19 Your referral stated that Cy'fcch employees met with 0PM officials on April 5 to demonstrate their product known as which your referral described as a high-speed forensic analytic tool 1four referral stated that during this product demonstration CyTech employees were allowed to rack-mount one of their servers loaded with tools onto the 0PM system and that they launched a snapshot scan ofthe DFM systEm Your referral stated that the scan identified some known malware and adware as well as some unknown processes that required further examination and that these unknown processes were of high interest to Letter and Memorandum from Chairman Devin Homes and Ranking Member Adam Schiff House Permanent Select Committee on Intelligence to Chairman Jason Chaffeta and Ranking Memb r Elijah E Cummings House Committee on Oversight and Government Reform iune 23 2015 'l'he Ilenerablc Oevin Hones Chairman The Honorable Adam Schiff Ranking Member Page 2 1ifour referral acknowledged however that your stafi haye not independently veri ed this information Oversight Committee Hearing and Requests for Information The day after we received your referral on June 24 3115 the Oversight Committee held a previously scheduled hearing on the OPM data breach 1 During that hearing Committee Members questioned then-OFM Director Ratherine I'trchuleta and then Chief Information Of cer Denna Seymour about CyTech s claims Beth responded that OPM had identi ed the breach a week before Cy'fech did but that the agency allowed CyTeeh to run its scan in order to dctertnine whether the product the company was selling would have identi ed the breach For example during the hearing Rep Michael Tamer asked Director Archuleta and Ms Seymour Was Cy l cch involved in the discovery of this data breach in response Ms Seymour explained that discovered the breach 1 With respect to CyTech s subsequent scan she explained We wanted to see if that tool set would also discover what we had already discovered Rep Turner then replied Well clearly yeti are going to have to give us all an additional briefing and certainly the Intel Committee staff an additional brie ng on exactly how you did this because you know CyTeeh s relating what they did is very compelling r- tnd quite frankly what you say sounds highly suspicious that you would have brought them in tricked them to see if they could discover it something you have already discovered On July 24 2015 we sent a letter to OPM requesting a wide range of documents relating to this issue 3 The Committee also requested documents from Cy'l'ech on August 14 21315 4 In addition we requested documents from the federal agencies and contractors involved with incident response and remediation eftiorts speci cally the United States Computer Emergency Readiness Team and Cylance lne the contracting company that directly participated in incident response eftiorts at 1 House Committee on Oversight and Government Reform Hearing on OFM Dora Breach Prtr't ff June 34 3 Letter from hairman Jason Chaffetx and Ranking Member Elijah E Cummings House Committee on Oversight and Government Reform to Seth Cohen Acting Director Of ce of Personnel Management July 24 1 Letter front Chairman Chaflicta House Committee on Oversight and Government Reform to Ben Cotton President and CEO Cy'l ech Services Aug 14 2015 5 Letter front Chairman Jason Chal t eta House Committee on Oversight and Reform to Ann Barren-DiCamillo Director United States Computer Emergency Readiness Team siting 19 2015 Letter from Chairman Jason Chal feta and Ranking Member Elijah E The Honorable Devin Nunes Chairman The Honorable Adam Sebi Ranking Member Page 3 The Committee also conducted transcribed interviews of CyTeeb s President and CED iJirector ofSccurity Operations one of his support personnel and two representatives from a different vendor known as Cylanee Results of versight Committee Investigation The evidence obtained by the Committee indicates that DPM discovered the breach on April 15 or 1d E t five or six days before CyTech conducted its product demonstration and its scan ofUPM s systems As part of our investigation the Committee obtained a report issued by US-CERT on April 24 2015 stating that 0PM discovered suspicious activity on its networks on April Id 2015 Do that date 0PM requested that LES-CERT conduct digital media analysis of three server imagesfhard drives The report states that between April 115 and 2D Bill also provided with a document containing information on suspicious IP Addresses and domains that may have been involved with the The Committee also obtained a follow-on report issued by US-CERT on June 2015 stating that on April IS 2015 0PM discovered an unknown Secure Sockets Layer certi cate on its network that was being used to communicate with the known malicious domain The SSI functionality was a component of hardware previously installed by 0PM as part of its enhanced security measures E On February EDI 6 Committee staf f conducted a transcribed interview of Brendan Saulsbury the CIPM contract engineer who actually detected the breaches as part of his work in Security Ctperations lCenter 1 When asked how 0PM first became aware oftbe breaches Mr Sauisbury had this exchange with Committee staff Q Who speci cally within CtP'lvi rst detected the malicious activity that was behind the April 2015 cyber intrusion A Myself Cummings House Committee on Oversight and Government Reform to Stuart McClure CED President and Founder Cylance Inc Dec 3 21115 '5 United States Computer Emergcne Readiness Team Preliminary Digital Media Analysis Report PDMAR No INC #65355 Apr 24 21315 7 United States Computer Emergency Readiness Team Digital Media Aenl ysis Report SMARJ No 45535 5 June 9 3 Letter from Jason K Levine Director Congressional Legislative and Intergovernmental Affairs leiicc Management to Chairman Jason Chaffets and Ranking Member Elijah F Cummings House Committee on Oversight and Government Reform Sept 25 21315 The Honorable Devin Hunes Chairman The Honorable Adam Schiff Ranking Member Page 4 Q And was it on April 16 EDI 5 that you recall detecting the malicious activity A I believe so Q Can you tell us what speci cally was the malicious activity you detected on network on April to 2m 5 A We observed malwarc beaconing out to a command and control server from at the time two different servers g lvlr Saulsbury also explained that the inalware he detected was disguised as Mchfee antivirus les Wle were able to determine that the actual malware was a DLL le that was called meutil d It was basically trying to fly under the radar as if it was a MeAfee antivirus executable The problem is that 3PM doesn t use McAfee so that stood out right there to us that at that point I was l tl percent certain that this is malware that is beaconing out On February 13 Committee staff conducted a transcribed interview with Jeff Wagner Director of Security Operations who con rmed Mr Saulsbury s account Mr Wagner had this exchange with Committee staff Q Earlier you mentioned that on April 15 EDI 5 CtPl'vl recognized an unknown certificate attached to a sophisticated attacker So how did you first come to learn on April 15 2015 that DPl vl s network may have been compromised A My first indication was in the discussion ofan unknown certi cate through email 0 So we re clear was it folks working in Security Operations Center or BBC that rst detected malicious activity on network A Yes Q And do you recall any of the names of folks within the SOC who were responsible for rst detecting the malicious activity on April 15 EDI 5 House Committee on Uversight and Government Reform Transcribed Interview of Brendan Saulsbury Senior Cybersecurity Engineer SEA International Feb 13 2016 5 fol The Honorable Devin Ntlnes Chairman The Honorable Adam Schiff Ranking Member Page 5 A Joe Tends my lead engineer would have been doing log investigation and Brendan Saulsbury would have been the one pulling the forensics logs and doing the reverse engineering Mr 1 it agner also explained that the tool used to identify the malware was developed by a different contractor Cylanee that Ms Seymour had hired previously to enhance cybersceurity Because of the unique capability of Cylance in mapping binary les as opposed to looking at direct signatures we knew it was going to be able to immediately nd any malware no matter what the indicators were '2 011 April 17 EDIE Mr Wagner sent an email to Ms Seymour reporting that lCylance officials were coming in to help with the forensics because it was their tool that found the Malware- He sent this email live days before CyTeeh conducted its product demonstration in September 30 EU 5 Committee staffcondueted a transcribed interview of Ben Cotton the President and CED of CyTeeh who stated 1 had discovered that they were not using McAfee as an anti virus But three ofthese processes were masquerading as McAfee es The evidence obtained by the Committee confirmed that the malware 0PM identi ed was the same malware CyTeeh identified during its product demonstration a weel later As Mr Saulsbury the DPM contract engineer who discovered the breach a week earlier captained CyTeeh didn t detect anything that we didn t already know Conclusion The evidence obtained by the Committee confirms that 0PM discovered the data breach five or six days before CyTeeh conducted its product demonstration on April 2015 and that the malware CIIPM identi ed was the same malware that was later identified by CyTeeh As a result claims that CyTeeh was responsible for rst detecting the DFM data breaches are inaccurate House Committee on Oversight and Government Reform Transcribed Interview of Jeff Wagner Director of Security Dperations foice of Personnel Management Feb 13 '2 at 3 Email from Jeff 1Ii'tfagner Director of Security Operations Office of Personnel Management to Donna Seymour Chieflnformation Officer lliltflice of Personnel Management Apr 112015 1 House Contmittce on Oversight and Government Reform Transcribed Interview of Ben Cotton President and CEO CyTeeh Services Sept 30 2t 5 House Committee on Dvorsight and Government Reform Transcribed Interview of Brendan Saulsbury Senior Cybersecurity Engineer SRA International Feb Edie The Hanarable Devin Nunea Chairman The Honorable Adam Sehiff Ranking Member Page 5 Fur ynur infermatian the majarity staff an the Cemmiltee asked that i make clear that although I asked Chairman Cha 'etz jein his leller he declined If' you have any further questiens abeul this mailer please enntaet Tim Lyneh er Jesse Reiaman army staff at 2132 225 505 Sincerely Ranking Member ee The Hennrahle Jaaen Chaffetz Chairman