COI Report – Part IV
Page 125 of 425
21.4 Disabling logins to Citrix Server 1 and informing the CERT and
Wee
364. In view of the above circumstances, the Citrix Team disabled logins to
Citrix Server 1. Thereafter, in the afternoon of 12 June 2018, the Citrix Team sent an email to Sean Navin from the SMD, informing the latter (i) of attempts to connect to the SCM production database from Citrix Server 1 on 12 June 2018, and (ii) that they found the suspicious folder in all user sessions, and seeking
Sean’s help to “gather any information suspicious about this abnormal
behaviour”. The Citrix Team also provided a screenshot of the log entry showing the presence of malware on Citrix Server 1, but did not make clear which computer or server this malware had been detected, or what its significance was.
365. Subsequently, Sean forwarded the email to Benjamin at pm on 12 June 2018, seeking the latter’s assistance on the matter in his capacity as a member of the CERT. Benjamin replied at pm on 12 June 2018, copying Ernest, Wee, and two other members of both the SMD and CERT, Zac Lim Zi Yang (“Zac”) and Muhammad Azzlan Bin Zainuddin (“Azzlan”).
366. In their subsequent correspondence on 12 June 2018, Benjamin and
Veerendra agreed to meet at SGH the next morning. Benjamin also clarified the following (i) that in order to install the suspicious folder in every user’s profile, administrative rights are required, and (ii) that it will be possible to suspend
Citrix Server 1.
367. Notably, Ernest and Wee were copied in Benjamin’s pm emails. Ernest did not read this email as he was overseas at the time. Wee states that he
“glanced through” the emails the next morning and “do(es) not recall looking in
detail at the logs and screenshots in the first email” from the Citrix Team. Likewise, for subsequent emails in the thread received by him on 13 and 14 June
2018, he explains that he “may have briefly gone through the details of these
emails, but (he) cannot remember them now.” In any case, Wee did not take any followup action in spite of the information he had received.
|
