Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part III Page 77 of 425 use of it as a matter of operational convenience, when it would have been clear that this undermined the very purpose of implementing PAM and FA. 15.3.2 Lack of firewalls to prevent unauthorised remote access using RDP to the SGH Citrix servers 228. CSA’s reconstruction of events show that the attacker had moved laterally using RDP to remotely access multiple SGH Citrix servers. This was done from compromised workstations and suspected virtual machines, and by using compromised user credentials. After compromising the SGH Citrix servers, the attacker was able to connect to Citrix Server 3 in the H-Cloud. The attacker also queried the SCM database from Citrix Server 2, a SGH server. 229. If RDP access from end-user workstations to the SGH Citrix servers had been disabled or restricted, it would have made it harder for the attacker to move laterally 22 and to compromise the SGH Citrix servers. However, at the time of the attack, there were no firewalls in place to prevent unauthorised remote access to the SGH Citrix servers using RDP. 230. This was not an unknown risk to IHiS. First, the HITSPS states that unecessary services including remote administrative access to servers and network devices should be disabled. Second, the need to enhance network segregation for administration access was in fact flagged-up in the FY GIA Audit Report of May 2017 (which stated the findings from and response to the FY 2016 H-Cloud Pen-Test) as a ‘High H Priority issue, which in IHiS’ risk classification framework meant that it was of a High severity of impact, and had a High likelihood of occurrence. The audit finding pointed to the possibility For completeness, CSA has clarified based on forensic findings that the attacker had also used other means to move laterally to the SGH Citrix servers. This means that even if RDP access from user workstations to the SGH Citrix servers were disabled or restricted, it would only have made it harder for the attacker to move laterally.
