COI Report – Part IV
Page
152 of
425 26 EVENTS OF 4 JULY 2018 26.1 Discovering queries to the SCM database 465. In the afternoon of 4 July 2018, Chai Sze Chun (“
Sze Chun”), an Assistant Lead Analyst in the Production Enhancement Team supporting the
SCM
application, received some text alerts triggered by scripts that he had put in place to monitor the SCM database server.
466. Intending to make sure that there was no persistent issue with the SCM database server, Sze Chun decided to look into what triggered the alert. In
the course of investigations, Sze Chun checked the queries that were currently running at the time, and a particular query caught his attention.
He checked back after awhile, and the particular query was no longer running. He also did not receive any significant alerts from his scripts thereafter for the rest of 4 July 2018.
467. Prior to 4 July 2018, Sze Chun had not seen queries similar to this particular query, which was in fact one of the bulk queries run by the attacker. Although the
query was no longer running, Sze Chun decided to investigate further.
468. Noticing that Citrix Server 2 and Workstation B were associated with the query, Sze Chun thought that he could find out the user-ID of the user that was logged into Citrix Server 2 at that point. However, Sze Chun was unable to find the necessary information. Sze Chun then asked Robin to provide the logs of users who had logged into Citrix Server 2 on 4 July 2018. Sze Chun
received and reviewed the logs, but found no record of Workstation B having logged into
Citrix Server 2 on 4 July 2018.
469. Sze Chun also noticed that the AA. account
was associated with the query, which appeared unusual to him. The query also being run from a program which was unusual (referred to in this section as the
“first program”).
At this point in time, Sze Chun thought that the unusual query may not have been run from the
SCM application, and had
in mind four possibilities 
