COI Report – Part IV Page 147 of 425 447. Ernest has explained that even though the IP address range was not part of the SingHealth network, he did not think that this was a security incident because he had already taken action to impose firewall blocks for the IP address range, thus preventing any access to any of the SingHealth servers from this IP address range. 24.5 Discovering background processes being run on Citrix Server 2 448. Curious about what the SA. account was doing when logged into Citrix Server 2, Lum reviewed the system task-list and noticed some background processes being executed. However, he was unable to ascertain what scripts were being run. Lum forwarded a screenshot of the task-list via email to Benjamin and the Citrix Team at pm on 26 June 2018. 24.6 Discovering the use of the DA. account to access Citrix Server 3 from Citrix Server 2 and that the system event logs for these servers were deleted 449. On 26 June 2018, the Citrix Team reviewed the security event logs for Citrix Server 2 and discovered that the DA. account was used to access the H- Cloud Citrix Server 3 from Citrix Server 2. As explained in Part III above, it is probable that the attacker had stolen SCM database credentials from Citrix Server 3 at this time. 450. As mentioned above in section 20.1 (pg 116), the password for the DA. account had been changed on 11 June 2018. When contacted, the domain administrator confirmed that he had not logged into Citrix Servers 2 and 3 on 26 June On 26 June 2018, the domain administrator changed the passwords to the DA. account again. 451. The Citrix Team also discovered on 26 June 2018 that the Windows event logs for Citrix Servers 2 and 3 were deleted earlier that afternoon. This was further evidence of malicious activity.
