COI Report – Part IV
Page 138 of 425
415. However, the fact is that throughout the entire period of IHiS’ response to the Cyber Attack, neither Wee nor Ernest, who each had responsibilities under the IR-SOP for leading the SIRT and coordinating the incident response, took any steps to activate the SIRT. Instead, coordination of the incident response was left to the CERT, with its staff of three relatively junior and inexperienced officers.
23 EVENTS OF 14 TO 25 JUNE 2018
23.1 Monitoring access to the Citrix servers and the SCM database
416. In the morning of 14 June 2018, Benjamin emailed Lum, Vicky, and
Veerendra from the Citrix Team, his fellow CERT members, and Ernest and Wee, laying out an action plan. Vicky and Veerendra were tasked with monitoring access to the Citrix servers. Azzlan, a member of the CERT, was tasked with
“monitoring direct access attempts to the SCM database…[and] to identify rogue
internal PCs”. Between 14 and 25 June 2018, IHiS staff did not detect any unusual logins or attempted logins to the Citrix servers or the SCM database. Wee, once again, “cannot quite remember if (he) read this email”, and took no further action.
23.2 Forensic investigations into the PHI 1 Workstation and
Workstation Cb. Further to Benjamin’s 14 June 2018 action plan, the CERT commenced forensic investigations on the PHI 1 Workstation on 14 June 2018. On 18 June
2018, Workstation C was seized, and forensic investigations on the PHI 1 Workstation had to be stopped on that day in order for forensic investigations on Workstation C to begin. The team was unable to find any evidence of malware or suspicious activities or files on either of the workstations.
418. The CERT team was hampered by their inability to run forensic investigations of the workstations concurrently. Although the CERT had been setup in March 2018, they had not yet been provided with workstations that were
|
