COI Report – Part V
Page
192 of
425 VVIPs had been queried. It was also confirmed that the records in the SCM database were not amended, deleted, or otherwise tampered with, and no other patient
records such as diagnosis, test results, or doctors notes, were accessed.
608. IHiS also simulated the queries that were made by the attacker and compared this against the data traffic patterns going to the C servers. Based on the
similarities between the two, IHiS confirmed on 13 July 2018 that data had been exfiltrated.
32.3 Containment measures implemented 609. During the joint investigation, IHiS and CSA put in place several containment measures that were aimed at
containing the existing threat, eliminating the attacker’s footholds, and preventing recurrence of the attack. The measures implemented were meant to contain the immediate threat of the attack, and were not intended to provide a permanent solution for SingHealth and IHiS.
32.3.1 Resetting the Kerberos Ticket Granting Ticket account 610. IHiS’ investigations revealed that the attacker had gained administrative privileges and moved across the network to access the Citrix servers. This was an indication that the KRBTGT account
39
could have been compromised.
611. The KRBTGT account is a service account in the active directory, and by obtaining the
password hash to this account, the attacker would have been able to compromise every account within the active directory, possibly to the extent
39
KRBTGT stands for the “Kerberos Ticket Generating Ticket Account. Kerberos is a network authentication protocol that works on the basis of tickets to allow computers and devices communicating over a non-secure network to prove their identity to one another in a secure manner. The KRBTGT account is a special hidden account that encrypts all other authentication tokens in the Kerberos authentication protocol used by Windows. An attacker who has compromised the KRBTGT account can create a Kerberos Golden Ticket to gain complete access to the entire domain.
