COI Report – Part III
Page
51 of
425 13 INTRODUCTION TO THIS PART 138. In this Part, the Committee presents its findings in respect of TOR #1, establishing the events and contributing factors leading to the Cyber Attack and the subsequent exfiltration of patient data.
139. Although TOR #1 refers to the Cyber Attack as having occurred on or around 27 June 2018, the evidence shows
that the Cyber Attack in fact began earlier, with the earliest signs of compromise dating back to 23 August 2017. It was only the
querying of the SCM database which began on 27 June 2018, continuing on until 4 July 2018. Thereafter, instances of malicious activity took place on 18 and 19 July 2018. No further instances of malicious activity were observed after internet surfing separation was implemented on 20 July 2018. Thus,
taking a broader view, the Cyber Attack spanned a period from around 23 August 2017 to 20 July 2018. Accordingly, the Committee’s findings in this Part will encompass all relevant events that took place in this period.
140. The Committee’s findings in this Part comprise three main issues. First, reconstructing the events
of the Cyber Attack second, identifying the preexisting vulnerabilities that were exploited or may have been exploited by the attacker in the course of the Cyber Attack and third, profiling the attacker.
141. In considering
the events of the Cyber Attack, it is useful to bear in mind the Cyber Kill Chain framework developed by Lockheed Martin, which identifies what adversaries must complete in order
to achieve their objectives, going through seven stages starting from early reconnaissance to the final goal of data exfiltration. Having this framework in mind will facilitate understanding of the actions and the tactics, techniques and procedures (“
TTPs”) of the attacker in this case.
