Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page129/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   125   126   127   128   129   130   131   132   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part IV
Page 149 of 425

administrator group and used to login to Citrix Server 2 over RDP. This was a strong indication of malicious activity as an administrator account had been compromised to perform this function. b) Second, the DA. account was used to access Citrix Server 3 from
Citrix Server 2. This was the first time that a H-Cloud Citrix server had been accessed without authorisation (as the account owner confirmed that he had not accessed the server. Furthermore, the DA. account had been used in this manner even though the account holder had changed the password on 11 June 2018. Given the circumstances, this was clearly an unauthorised access into Citrix Server 3, which was directly connected to a CII system, and, in
CSA’s view, should have been reported to CSA as a security incident. c) Third, the Windows event logs for Citrix Servers 2 and 3 were deleted using the DA. account. The natural inference would be that the entities behind the malicious activities was deliberately trying to cover its tracks. Yet the significance of this seemed to have been lost on Ernest and the IHiS teams other than changing the password again for the DA. account, no further steps were taken to investigate into the compromise of the DA. account or the deleted logs.
456. IHiS CEO Bruce’s own evidence is that the fact that the SCM database was facing a deliberate attack would have been “firmly established by 26 June
2018”, and that on that basis Ernest and Wee should have reported the incident accordingly.
457. In respect of the events of 26 June 2018, Wee maybe given the benefit of the doubt in light of the fact that he was on medical leave.


COI Report – Part IV
Page 150 of 425

458. However, the Committee finds that Ernest was wholly irresponsible in his attitude towards the cumulative facts before him. Ernest’s failure to report the matter on 26 June 2018 proved to be the last and most significant missed opportunity to prevent the attack. Having obtained the SCM database credentials from Citrix Server 3, the attacker began stealing and exfiltrating patient data from the SCM database over the course of the next few days.

Download 5.91 Mb.

Share with your friends:
1   ...   125   126   127   128   129   130   131   132   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy