COI Report – Part III Page 89 of 425 respect, the Committee agrees with the Solicitor-General’s submission that the events concerning Zhao in September 2014 was a missed opportunity. 264. Investigations by the CID did not reveal any evidence of Zhao being involved in the Cyber Attack. 15.7 Other vulnerabilities in the network that were identified in the FY16 H-Cloud Pen-Test which could have been exploited by the attacker for privilege escalation and lateral movement 15.7.1 Administrator credentials were found on network shares 265. The FY H-Cloud Pen-Test revealed that administrator credentials were found in network shares. A Citrix administrator password was also found in a Windows batch file. The implication of this was that attackers having access to such files, or with physical or network access to shared folders, could read this sensitive information and further use it to perform enhanced focused attacks. 266. In the course of investigations, Citrix Server 1 was found to contain a batch file with administrator credentials in it. The batch file was created on 9 April 2017 and contained the administrator credentials of the LA. account in cleartext. This remained available on the server until the server was taken offline for forensic imaging on 13 June 2018. CSA has given evidence that it is a reasonable hypothesis that the attacker gained initial access to the file system of Citrix Server 1, and obtained the credentials for the LA. account, which were saved in the batch file in this server. 267. Similarly, during a scanning process done after the Cyber Attack, a script file containing credentials for an administrator account was found, which had the password ‘P@ssw0rd’. This was in fact the very same account flagged by the penetration testers during the FY H-Cloud Pen-Test. 268. Back in March 2017, after being informed of the findings from the FY H-Cloud Pen-Test, Lum sent an email to the Citrix Team, directing them to
