COI Report – Part IV
Page 124 of 425
Kelvin, as part of the Applications team that has responsibility for end-user accounts, to look into them.
360. In his reply, Kelvin directed a query at Lum, mentioning that a password had been changed, and asking to check who was logged into Citrix Server 1. The
Citrix Team checked the active sessions on Citrix Server 1 at the time of the failed logins to the SCM database, and it did not appear that the LA. account was used to login to Citrix Server 1 at the time. IHiS staff were unable to identify which account had been used to login to Citrix Server 1.
361. Katherine has explained that in view of the unusual failed attempts at logging into the SCM database on 11 June and 12 June 2018, she “was
concerned that something was wrong”. While she “did not know exactly what
was taking place”, she “knew that it was unusual”. Thus, on 12 or 13 June 2018, she called Lum, and Lum told her to inform him every time she received any notice of failed attempts at logging into the SCM database.
362. On Lum’s part, he thought the multiple attempted logins to the SCM database “could be somebody attempting to gain unauthorised access to the SCM
database”.
21.3 Discovering numerous instances of suspicious folders in Citrix
Server 1
363. Having found out the night before on 11 June 2018 about the earlier infection of Citrix Server 1 with malware, the Citrix Team was on the lookout for any other suspicious files. On 12 June 2018, they found that many users profile folders contained a folder with a particular name. These folders did not contain any executable programs. Lum checked online and found out that the name of the folders was that of an open source SQL tool. The tool is not a software that is used in the SingHealth IT environment.
|
