Phishing, ransomware and infected hardware major cyber threats for Singapore

In 2024, the cyber threat landscape in Singapore was dominated by phishing attempts, ransomware attacks and infected hardware. 

Phishing attempts in Singapore increased by 49 per cent to 6,100 cases, according to the annual Singapore Cyber Landscape 2024/2025 report released by the Cyber Security Agency of Singapore (CSA) on Wednesday.  

The banking and financial services (BFS) sector was the most targeted industry. 

Ransomware attacks increased by 21 per cent from last year, with 159 reported cases. 

Infected computer infrastructure remained a concern with a 67 per cent increase from 70,200 infected systems in 2023 to 117,300 in 2024.

CSA's analysis primarily attributed these increased attacks to botnet drones, a network of computer devices that were coordinated by a central command and control (C&C) to propagate malware. 

The study found that many of the infected systems in Singapore involved old malware strains that could have been remediated with existing measures, but these were not implemented.  

This underscored a troubling fact – that even as ransomware and other cyber threats grew, users were not updating and patching vulnerable software. 

To address this, the government launched several initiatives to strengthen collective cyber defence and remediate unpatched software.  

One such was CSA's participation in an international operation against a global botnet in September 2024, which helped remediate 2,700 infected devices in Singapore.  

Singapore has been a pioneering and leading member of the Counter Ransomware Initiative (CRI), which involved over 70 member countries.

The initiative aimed to build collective resilience against ransomware attacks and disrupt the ransomware criminal industry.  

Singapore will host the next CRI Summit on October 24, 2025, to drive further discussions with international partners to deal with the global challenge of ransomware.  

APT groups targeting SEA governments 

The report noted that advanced persistent threat (APT) activity has increased globally and especially in Southeast Asia (SEA).

APT groups were primarily state-sponsored and targeted government and critical infrastructure for espionage purposes.  

These groups have focused on targeting network edge devices, like smart cameras and industrial sensors, as well as relay networks to blend in with existing network traffic to limit detection and complicated attribution.  

The report observed that during the reporting period, SEA governments were targeted by APT groups. 

To subscribe to the GovInsider bulletin, click here. 

In March last year, the Infocomm Media Development Authority of Singapore (IMDA) published a report which identified two groups, Stately Taurus and an unidentified actor, posing significant threats due to their potential to exfiltrate sensitive information.   

The IMDA report noted that the activities of the two groups “demonstrated how organisations are targeted to fulfil the mission objective of collecting intelligence of geopolitical interests within the region”. 

Interestingly, the CSA report noted that APTs across SEA were observed using similar tools and attack vectors that facilitate low-impact and long-term operations.  

Leak highlights how APT activity works 

Leaks from the Chinese security company i-Soon in February 2024 confirmed a long-held suspicion: multiple state-sponsored hacking groups use the same tools and infrastructure, the report observed. 

The report suggested that by identifying shared infrastructure, cyber defenders can better track suspicious activity and find the source of the threat. 

To counter these highly sophisticated threat actors, CSA has strengthened its coordinated response framework across key areas. 

This included enhanced protection through sustained collaboration with critical infrastructure (CII) owners and expanded ecosystem protection covering vendors and suppliers.  

The report mentioned that Singapore has faced and continued to face attacks from APT groups.  

One such group was UNC3886, which Coordinating Minister for National Security, K Shanmugam, had publicly disclosed at CSA’s 10th Anniversary Dinner on July 18, 2025.  

One of the immediate remedial measures taken by Singapore in the wake of the UNC2886 attack was making it mandatory for CII owners to immediately report cyberattacks to ensure that the government could mount a coordinated countrywide counter-response. 

Sharpening response capabilities 

CSA sought to sharpen nationwide cyber crisis response capabilities through exercises like Exercise Cyber Star, which was a nationwide cyber crisis management exercise in July-August this year. 

The exercise aimed to enhance the capability and readiness of Singapore’s CII sectors to respond effectively to cyberattacks.  

This year’s exercise was the largest in scale and most intensive to date, held over 11 days and involving close to 500 participants from CSA, CII sector leads, the Singapore Armed Forces’ Digital and Intelligence Service (DIS) and owners of CII from 11 sectors. 

The 11 CII sectors comprise aviation, banking and finance, energy, government, healthcare, infocomm, land transport, maritime, media, security and emergency, and water. 

Simultaneously, CSA has deepened international cooperation to address transnational cybersecurity challenges through regular Cyber Emergency Response Team-to-CERT exchanges with international counterparts, and participation in cross-border operations to disrupt malicious cyber activities.  

Singapore’s Commissioner of Cybersecurity and Chief Executive of CSA, David Koh, noted that Singapore currently faces persistent and severe cyber threats from APT groups and other foreign actors.  

He emphasised that these “pose a substantial risk to national security” due to the cascading effects of such attacks. 

“Malicious and advanced threat actors continue to pose a danger to our national security, digital economy and way of life.  

“Additionally, artificial intelligence (AI)-powered deepfakes and scams trick companies and individuals out of large sums of hard-earned monies,” Mr Koh said.  

He added that CSA had “re-doubled its efforts… to work towards a future where everyone can live and work online in a trusted, resilient, and vibrant cyberspace”.