COI Report – Part III Page 60 of 425 14.4.4 Obtaining credentials of the SA. service account 165. The attacker compromised a system level service account, referred to in this report as the “S.A. account”. The SA. account has full administrative privileges to login to the Citrix server, including logging in interactively, and logging in remotely via RDP. In the context of the attack, the attacker used this account to login to Citrix Server 2 on multiple occasions in June 2018. 166. IHiS did not have any operational use of the service for which the SA. account was created. CSA has observed that the attacker could have acquired the credentials to the SA. account through the malware it used. 14.4.5 Obtaining credentials for the DA. domain administrator account 167. The attacker also compromised a domain administrator account, referred to in this report as the “D.A. account”. A domain administrator account is a member of the administrators group on all domain controllers, all domain workstations, and all servers that are members of the domain. An administrator account gives the user full control of the files, directories, services, and other resources that are under the control of the servers in the domain. In the context of the Cyber Attack, compromising the DA. account allowed the attacker to access and control the SGH Citrix servers. 168. The DA. account was subsequently used in attempts to login to the SCM database, and in connecting from Citrix Server 2 in SGH to Citrix Server 3 in the H-Cloud. 14.4.6 Establishing control over Workstation B on 17 April 2018 169. On 17 April 2018, the attacker gained access to Workstation Ba workstation in the SGH, and planted a copy of RAT 2, thus gaining control of the workstation. Workstation B was a workstation which had access to the SCM application.
