COI Report – Part III
Page
62 of
425 173. The unauthorised logins to Citrix Server 1
were also made via Remote Desktop Protocol (“
RDP”) from workstations which would not ordinarily use the LA. account, including (i) the PHI 1 Workstation (ii) a SGH workstation referred to in this report as “
Workstation C”; (iii) VM 1; and (iv) VM 2.
174. On 11 June 2018, IHiS staff became aware of the unusual logins to Citrix Server 1 using the LA. account, and they changed the password for the LA account that same evening. This was based on the understanding that (i) the LA. account is not ordinarily used for day today operations and (ii) the unauthorised logins to Citrix Server 1 were made from workstations with hostnames which would not ordinarily use the LA. account.
175. On 12 June 2018, the attacker attempted to login to Citrix Server 1 using the LA. account, but was unable to do so. It then used another account to access the server. Failed attempts to login to the SCM database from 24 May to 12 June 2018 176. Starting from 24 May 2018, the attacker made a number of failed attempts to login to the SCM database from Citrix Server 1. These attempts failed because the attacker either used invalid user-IDs. The latter group included the user-ID of the user account of Workstation A. The failed logins prior to 11 June 2018 were not noticed by IHiS staff at the time.
177. On 11 June 2018, the attacker made a number of failed attempts to login to the SCM database from Citrix Server 1. Most of these attempts failed because the attacker used invalid user-IDs. The attacker also attempted to use the DA. account to login to the SCM database, but this was unsuccessful because the account was not granted permission to the access the SCM database. It was on
11 June 2018
that Katherine, an IHiS database administrator, noticed some of the failed logins from that day.
178. The Citrix system event log for Citrix Server 1 was also deleted in the evening of 11 June 2018. The system event log
is a set of Windows generated 
