Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part III Page 82 of 425 15.3.4 Lack of sight over and mismanagement of the SA. service account 244. As explained above, the SA. account was used by the attacker to access Citrix Server 2, including when querying the SCM database. The existence of and privileges attached to the account facilitated this use. From the evidence, the Committee finds three points that are relevant in this regard. a) First, to begin with, there was no real need for the SA. account to exist, as there was no actual use in IHiS of the relevant service for which it was created. Yet it existed on all Citrix servers in which the service had been installed, and the account had full administrative privileges to login to the server, including logging in interactively. b) Second, the Citrix Team did not know of this account. Lum’s evidence is that he had first come to know of the account on 13 June 2018, after the Citrix Team discovered that the account was used in unauthorised logins to Citrix Server 2. c) Third, the SA. account was an unused account that should have been identified and disabled in accordance with IHiS’ policies. An unused account refers to accounts that were created but never logged into. As mentioned above, unused accounts should be identified and disabled inline with the HITSPS, in order to prevent usage in unauthorised activities. This however was not done. The GPOs for password policies also did not apply to the account as block policy inheritance was applied. 15.3.5 Observations on the overall management of SGH Citrix servers 245. A number of weaknesses in respect of securing the SGH Citrix servers against unauthorised access have been identified above. As the Solicitor-General has submitted, such failures likely stem from a failure to recognise the SGH Citrix servers as being part of a mission-critical system. While IHiS recognised the SCM system to be a mission-critical system, it did not regard the Citrix
