Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part IV Page 145 of 425 privileges, and having confirmed that no one in IHiS had done so, Lum suspected that a privileged account had been compromised. 438. Shortly after on 26 June 2018, Lum logged into Citrix Server 2 and found an active RDP session where the SA. account was used to login to the server. Lum checked the login logs and established that the SA. account was logged into Citrix Server 2 from VM 2. Lum then searched for active RDP sessions on the network and found only one connection. This connection was made from an IP address (referred to in this section as the “first IP address”), and Lum concluded that this IP address must have been related to VM 2. 439. At around pm on 26 June 2018, Lum sent emails to Benjamin containing screenshots showing the RDP session to Citrix Server 2 from the first IP address, and the suspicious login to the server using the SA. account. Benjamin has confirmed that this was the first time he had heard of the SA. account being used to login to a Citrix server. He was not aware at this point of the earlier use of the account on 13 June 2018. 440. Shortly after at pm on 26 June 2018, Joanne replied to the same email thread with a screenshot showing the session information of an RDP session, with the client name being that of VM 2, and the username of the SA. account. However, the client address was another IP address (referred to in this section as the “second IP address”), which was different from the first IP address. 441. At pm on 26 June 2018, Benjamin forwarded the above emails to Ernest and the other members of the CERT. Wee was not copied in this email. The emails comprised entirely of screenshots, and did not contain any explanations. 442. Lum was of the view that the use of the SA. account to access Citrix Server 2 via RDP was clearly unauthorised. Thus, on 26 June 2018, he removed the account from the administrator group once again.
