Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page113/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   109   110   111   112   113   114   115   116   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part IV
Page 132 of 425

394. At pm, Lum replied to Katherine’s pm email. This reply was addressed to Katherine, Kelvin and Robin. Lum also copied Veerendra, Vicky
Boh, Yu Ping Hai, and Joanne (who were Citrix administrators. The contents of the email included Please do not disclose this information to any other people.
Veerendra – Need to catch this [VM 1] machine. We found a malicious login to Citrix from a machine [VM 1].
[…]
395. Lum has explained that at the point he sent this email, he had already determined that the login to Citrix Server 2 using the SA. account was malicious.
396. Lum has further explained that he asked that recipients “not disclose this
information to any other people” because they had just discovered new information, namely, that a different Citrix server was being accessed (i.e. Citrix Server 2) using a different account (i.e. the SA. account, and he wanted to look further into the matter and understand how the account could be used in that way prior to this, he had not even heard of the SA. account. Katherine has explained that by the time she received this email, she was of the opinion that IHiS was dealing with what could be classified a security incident. However, she did not report this to the security team or to her head of department, in view of Lum’s statement in his email “not to disclose this
information to any other people”. At this point, Katherine did not know that the
Citrix Team had contacted the SMD.
398. It is pertinent to note that Benjamin was not informed of the use of the SA. account to login to Citrix Server 2 until 26 June 2018.



COI Report – Part IV
Page 133 of 425

22.5 Removing the SA. account from the admin group
399. At pm on 13 June 2018, Lum removed the SA. account from the admin group, thereby disabling remote access to the Citrix servers using this account. At the time, the Citrix Team suspected that access from the workstations to the Citrix servers must have been through an RDP client. They also noted that the Windows Remote Desktop Connection application was installed by default on all workstations. By removing the SA. account from the admin group, RDP access into Citrix servers using the SA. account would be disabled from all workstations.

Download 5.91 Mb.

Share with your friends:
1   ...   109   110   111   112   113   114   115   116   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy