Monday, February 10, 2014

EPAM says it has no ties between and references to HHS refer to a different system

See late-breaking updates, below:

A week ago, Bill Gertz of the Washington Free Beacon reported that U.S. intelligence officials had uncovered evidence that the troubled site was developed, in part, by a firm based in Belarus.

U.S. intelligence agencies last week urged the Obama administration to check its new healthcare network for malicious software after learning that developers linked to the Belarus government helped produce the website, raising fresh concerns that private data posted by millions of Americans will be compromised.

The firm, called EPAM, has offices around the world, but is headquartered in Belarus.

Officials disclosed the software compromise last week after the discovery in early January of statements by Belarusian official Valery Tsepkalo, director of the government-backed High-Technology Park (HTP) in Minsk.

Tsepkalo told a Russian radio station in an interview broadcast last summer that HHS is “one of our clients,” and that “we are helping Obama complete his insurance reform.”

“Our programmers wrote the program that appears on the monitors in all hospitals and all insurance companies—they will see the full profile of the given patient,” Tsepkalo said June 25 on Voice of Russia Radio.

A week later, the intelligence report had been "recalled" and the Obama administration issued denials that a Belarusian firm had been involved in development of the website.

...The recall of the intelligence report, which was produced by the CIA-based Open Source Center, has raised questions about the politicization of intelligence—the suppression or skewing of intelligence to conform to policy prescriptions.

DNI spokesman Shawn Turner, in a statement, denied that the withdrawal of the report was based on political motives... Turner said the Open Source Center circulated its report on Obamacare software Jan. 29 under the title “United States’ Affordable Care Act Software – Cyber Attack Target.” ... According to Turner, the report was not reviewed by intelligence experts and did not meet “tradecraft standards,” including certain pre-publication reviews.

HHS, its Centers for Medicare and Medicaid Services (CMS) that helped set up the system, and CGI Federal so far have declined to provide details on [all of the] contractors involved in

...The fears of cyber attack are compounded by the anti-U.S. stance of the Minsk government and an incident in February 2013 when large amounts of U.S. Internet data were hijacked and rerouted to Belarus where it was sifted for intelligence.

For those who speak Russian, you can find the complete 40-minute interview with Mr. Tsepkalo here. During the interview, Mr. Tsepkalo proudly names the U.S. Department of Health and Human Services as a key customer, adding he's helping Obama to reform American healthcare.

Answering the interviewer's question, he further adds, the money is very, very good (while smirking). At around 16:00, Mr. Tsepkalo also names some of his other U.S. customers. Among them are CitiBank and a new customer for him, NYSE.

So, let's summarize what we have learned. CGI Federal had allegedly subcontracted part of the software development to a Belorussian company called EPAM, which is a part of Belorussian High Technology Park, which is run by Lukashenko's advisor and former Belorussian Ambassador to the United States, Tsepkalo.

Is there any independent confirmation of ties between EPAM and HHS?

Possibly. Around the time that was being unveiled a software developer, who attempted to keep his name hidden, asked a series of technical questions on a popular software site called StackOverflow. Using the alias "gstackoverflow2", the developer visited a variety of such sites and posted questions regarding testing procedures for a Java framework.

Coincidence 1. The software deployment mentioned in the questions specifies both EPAM and HHS:

Coincidence 2. Though the user asks questions in -- and much of the code is written in -- English, the user's real name may have been inadvertently exposed in the files he uploaded to ask questions.

Nikolay Tkachev appears to be the name of someone of Ukrainian or Belorussian descent.

Coincidence 3. The timing of the questions corresponds to a great deal of rushed work before, during and after the horrific launch of

To be fair to EPAM, it has officially denied any involvement with HHS, despite the claims in Belarus.

EPAM Systems, Inc., releases an official statement, that contrary to recent online blog posts issued by various outlets, EPAM has never been involved in software development for the website or any Affordable Care Act related engagements. Any claims to the contrary are completely false.

However, that statement came before these particular leads were uncovered.

Therefore, I will formally submit the following questions to EPAM and HHS:

1. Did someone named "Nikolay Tkachev" and/or someone employing the alias gstackoverflow2 on the aforementioned websites ever work for EPAM?

2. If so, did the individual(s) work on any software for the Department of Health and Human Services, state exchanges, or other systems or platforms related to Obamacare?

3. If not, what do the modules marked epam.hhs represent? Who is the customer?

I'll be sending these to EPAM for their review and will let you know what I hear.

Update I: Received the following from EPAM:

..EPAM is a highly regarded U.S. publicly traded company, headquartered in Pennsylvania with highly skilled technical resources in the United States and around the globe. EPAM has a long history of quality software engineering and IT services capabilities. EPAM stands by its previous statement-- that the company is not now and has never been involved in software development for the website. Any claim to the contrary is completely false. The report appearing at your post incorrectly associates a simple folder name and references to “hhsystems.” To be clear, these references on the postings relate to an internal training project called “Head Hunter Systems”, and are unrelated to any customer engagements or the healthcare industry.


Ginger Mosier
V.P, General Counsel & Secretary

Consider the record corrected.

1 comment:

Redwine said...

Sure enough, Nikolay is in the Ukraine in "Individual & Family Services". Here's his LinkedIn profile (in Cyrillic, of course):