Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part IV Page 140 of 425 422. Ernest was also copied in email conversations pertaining to the CERT’s incident response starting from the night of 12 June 2018. However, he did not read them contemporaneously, and did so after 18 June 2018 when he returned to Singapore. Having “glanced through” each of the emails he was copied in, he had the following understanding a) He understood that Benjamin had been communicating with Veerendra, and that an image had been taken of Citrix Server 1, and that the server was shutdown. b) He did not notice the email from Vicky to Benjamin at am on 13 June 2018, in which Ernest was copied in, and in which Vicky informed Benjamin that she had “attached the email from Katherine the DBA for SCM regarding the login failed attempt to the DB server”. As such, Ernest did not seethe emails from Katherine containing details of failed logins to the SCM system. c) Ernest however did notice the email from Benjamin at am on 14 June 2018, in which he laid out an action plan (see paragraph 416 (pg 138 above. Ernest thus concluded that “this was a case that required forensic investigations”. d) Ernest was also copied in the emails sent by Benjamin from 13 June 2018 onwards regarding the seizing of Workstation C for investigations (see paragraph 377 (pg 128) above. He noted that Benjamin had indicated in the first email at pm on 13 June 2018 that Workstation Chad been “involved in an IT incident”. He also noted that Benjamin had stated that the workstation “was found to be attempting to connect to the SCM database using several different username/password combinations.” 423. Having read the TigerConnect messages and the emails he was copied in, Ernest realised that there were two workstations and one Citrix server being forensically examined at the same time in relation to suspicious attempts at
