COI Report – Part III Page 56 of 425 installed on Workstation A then. The tool was thus successfully installed and was used to download malicious files onto Workstation A. Some of these files were masqueraded as .jpg image files, but in fact contained malicious PowerShell scripts, one of which is thought to be a modified PowerShell script taken from an open source post-exploitation tool. 152. Also on 1 December 2017, shortly after the installation of the hacking tool, RAT 1 was created on Workstation A. 153. With the introduction of the hacking tool and RAT 1 in December 2017, the attacker gained the capability to execute shell scripts remotely, as well as to upload and download files to Workstation A. Referring to the Cyber Kill Chain framework referred to in paragraph 141 above, it can be seen that the attacker was able to go through the Delivery, Exploitation, Installation and Command and Control phases by 1 December 2017. 14.3 Privilege escalation and lateral movement – December 2017 to June 2018 154. After the attacker established an initial foothold in Workstation A, it moved laterally in the network between December 2017 and June 2018 16 , compromising a number of endpoints and servers, including the Citrix servers located in SGH, which were connected to the SCM database. CSA’s assessment The Committee notes that in CSA’s reconstruction of events, the period of privilege escalation and lateral movement is stated to be from December 2017 to May 2018, and the events of June 2018, where the attacker made unauthorised logins to the SGH Citrix servers and attempted to login to the SCM system, are viewed as a different phase. This conception of the events has the merit of clarity, with clearly defined phases. At the same time, having regard to the Cyber Kill Chain and the specific facts of the Cyber Attack, the period between the Command and Control stage (i.e. gaining control of Workstation A) and the Actions on Objectives stage (i.e. retrieving and stealing records from the SCM database) maybe viewed holistically as a period of privilege escalation and lateral movement – where the attacker moved from system to system within the network, and gained additional privileges by compromising more accounts and systems. Viewed in this light, the events of June 2018 may also constitute privilege escalation and lateral movement.
|