COI Report – Part IV
Page
121 of
425 sufficient privileges to delete system logs. CSA is of the view that this, and other instances of deleted server logs detected by IHiS staff subsequently, should have been reported to CSA as a security incident. e) Fifth, the Citrix Team became aware that Citrix Server 1 was previously infected with a malware (this was in fact a hacking tool used by the attacker. This indicated that there was malicious activity occurring in a server directly connected to a CII system, and CSA is of the view that this should have been reported to CSA as a security incident. f) Sixth, Lum was aware that he ought
to have informed the SMD (
e.g. Ernest, head of the SMD team for SingHealth and the
SingHealth SIRM) should he encounter a security incident, however, he did not do soon June 2018, despite believing that the LA.
account had been compromised, and all the other findings identified above.
350. Vivek has also observed that the Citrix Team’s action of resetting the compromised passwords during the investigations in a hurry could have hampered the investigations – doing so would have flagged to the attacker that his presence had been discovered. In such a scenario, attackers usually respond by moving over to use other passwords that are not yet flagged as compromised, as was the casein the Cyber Attack.
In the process, an investigation team can lose track of the attacker at least temporarily until further compromised passwords are discovered. In Vivek’s expert opinion, abetter practice would be to put the compromised passwords on active monitoring and use them to learn more about the attacker’s behaviour as well as presence across other systems within the network.
351. In respect of the events of 11 June 2018, the responses of Katherine, Lum and the Citrix Team were inadequate on the whole. They could not fully appreciate the security
implications of their findings, and were unable to co-relate
