SINGAPORE: Documents leaked onto the dark web last year claim that 255 Singapore organisations linked to the country’s critical information infrastructure (CII) were infiltrated as part of clandestine cyber operations.
The trove of 12,000 documents was leaked from a group allegedly conducting hacking operations while operating publicly as a cybersecurity firm.
CNA is not naming the group for security reasons.
One of the documents lists countries of interest, with Singapore among them.
The files claim that the firms connected to key CII sectors such as telecommunications, energy and finance were compromised.
Tech giant Google’s cybersecurity arm has said there are signs that a state-backed group may have been involved.
Redacted samples of the leaked documents.
“We saw some mentions that Singapore was part of the target regions that were tasked by the customers of that private company to target for collection purposes,” said Mr Lim Yihao, lead threat intelligence advisor for Japan, Asia-Pacific and the Middle East and Africa at the Google Threat Intelligence Group.
He noted that there was “some sort of working relationship between state actors and private contractors”.
However, Mr Lim was cautious in attributing the alleged attack to any particular country.
“The documents could be fabricated, and of course, could be done by somebody else who wants to make another country look bad,” he added.
Cybersecurity experts told CNA that the attack could be the tip of the iceberg of a growing trend of small- and medium-sized enterprises (SMEs) being targeted by hackers.
Because many firms supporting CII operators are SMEs, vulnerabilities may lie further down the digital supply chain, they warned.
It is not the first time entities in Singapore have come under attack.
In 2025, Coordinating Minister for National Security K Shanmugam identified the advanced persistent threat group UNC3886 as being behind an ongoing cyberattack on Singapore. It was later revealed that the group was targeting the telco sector.
UNC3886 is described by Mandiant – a cybersecurity firm owned by Google – as a “suspected China-nexus espionage actor” that has targeted prominent strategic organisations globally. The Chinese government has denied any links to UNC3886.
A report from the Cyber Security Agency of Singapore (CSA) found that suspected attacks by advanced persistent threats like UNC3886 surged more than fourfold from 2021 to 2024.
Mr Adam Meyers, senior vice president of counter adversary operations at US cybersecurity firm CrowdStrike, said Singapore remains among the top five most targeted countries in Asia-Pacific.
“Singapore's very critical and sits at the crossroads of shipping into Asia. (It) is a financial centre across Asia-Pacific and (other countries) would certainly want to collect intelligence about what's coming in, what's going out, where is it going,” he said.
He added that telecommunications systems are particularly valuable from an intelligence perspective, for example when a foreign country is trying to locate dissidents.
“You can actually hunt them down based on their cell phone number and see not just information about them, but where they were moving, who they were with, what they were texting about, things like that,” he noted.
Analysts say these foreign actors could potentially gain access to telcos and other critical infrastructure by first infiltrating the SMEs in their supply chain.
Attacks on Singapore organisations come from different types of threat actors:
Increasingly, analysts say these roles can overlap.
In some scenarios, a state-backed actor seeking access to a target could obtain entry points or intelligence from criminal groups such as IABs.
With that information, they could rally and direct hacktivists, ransomware or even organised crime groups to launch an attack. Such misdirection can complicate investigations, potentially creating confusion over who is ultimately responsible, experts say.
Ms Jennifer Soh, head of high-tech crime investigation for Asia-Pacific at cybersecurity firm Group-IB, said collaboration between experienced cybercriminals can make attacks “more sophisticated”.
“They will leave little traces, making (it) difficult to investigate them.”
Identifying who is behind an intrusion is crucial for investigators, added Google’s Mr Lim.
“Once we know who is behind this, or which nation, we roughly know what they're after based on the geopolitical tensions that we are seeing, and it helps us to quickly identify what they're after, what are the crown jewels we should protect.”
Collapse Expand
Singapore’s CII sectors are governed by the Cybersecurity Act, which imposes higher security standards and mandatory incident reporting obligations.
But experts warn that while these companies may be tightly regulated, the ecosystem around them may not be.
CII operators rely on vendors – which include SMEs – for logistics, software development, engineering and professional services.
Yet, many of these smaller firms are not directly regulated under the Act.
In a highly connected digital ecosystem, weaker cybersecurity at smaller vendors can provide threat actors with a foothold that may lead to larger, more strategically important organisations, experts say.
“It is a massive weakness,” said Mr Nicky Choo, vice president and general manager for Asia-Pacific at cybersecurity provider Mimecast.
“Every organisation that does business with every large organisation that's part of the critical infrastructure is a target for attack. So, a lot of cyber attackers now go after the weakest link, which is the easier way in,” he added.
According to the CSA’s Singapore Cyber Landscape 2024/2025 report, ransomware cases rose by 21 per cent in 2024, with 159 incidents recorded.
Manufacturing and professional services were among the most affected, with the majority of the attacks in the professional services industry targeted at SMEs.
Mr Gaurav Keerthi, CEO of cybersecurity firm Strongkeep, said SME incidents may be more common than official numbers suggest.
“It’s a lot of voluntary declaration if there is an incident … But generally, we think there's a massive under-reporting of cases in the SME space.”
He added that attackers are increasingly drawn to smaller firms.
“(They’re) easier to attack. It's gotten more lucrative to get some money out of these smaller companies, and many of them have become more digital in the last few years.”
With over 350,000 SMEs operating in Singapore as of 2024, the sheer volume of smaller firms provides attackers with many potential entry points.
“Unfortunately, the smaller companies, despite being more heavily targeted, continue to be less protected than the rest of the economy,” Mr Keerthi said.
For some SMEs, the threat is not theoretical.
In October 2023, freight forwarding firm Penanshin Air Express found itself at the centre of a cyberattack.
A ransomware group locked its employee data, quotes and client information. Two related companies were also compromised, according to the firm’s executive director Bernard Chan.
The attackers demanded US$15 million, which Penanshin ultimately refused to pay.
An email from the attackers who targeted Penanshin Air Express.
Fortunately, its core operational database was not affected.
“We were lucky. The attack didn't hit our critical data. It was only our old data. Business went on as normal,” Mr Chan said.
But because sensitive information was leaked, Penanshin worked closely with the police, the Personal Data Protection Commission and CSA over the next year on investigations.
The incident was a wake-up call for the company, underscoring the sense of helplessness many smaller firms experience in the face of cyberattacks.
“For SMEs, cost is a really big issue. Second, we do not have knowledge about what to do,” Mr Chan said.
The firm eventually tightened its cybersecurity defences with the help of external specialists, installing firewalls, implementing endpoint protection and conducting phishing simulations, even as it continued to face further cyberattack attempts.
“Before that, we didn't have (a) cyber security expert. We don't know anything until things happen,” Mr Chan added.
Industry observers say many SMEs like Penanshin are taking cybersecurity more seriously, especially as attacks grow more sophisticated.
Strongkeep, for example, said it has observed growing interest from small firms seeking to strengthen their defences.
But awareness does not automatically translate into action.
The Association of Small and Medium Enterprises (ASME) said many businesses are grappling with economic pressures, rising costs and the push to adopt digital tools such as artificial intelligence – leaving limited bandwidth to prioritise cybersecurity.
“In the next six to nine months, a lot of the focus is going to be around AI and how it's going to make it easier – how do I make it work for me, from an SME perspective? In terms of cyber security, they will (likely) take a business-as-usual approach,” said ASME president Ang Yuit.
Mr Ang said one way to encourage stronger cybersecurity standards is to tie them to business opportunities. Companies that “level up” their cybersecurity could gain greater access to government projects and programmes.
Authorities have been tightening the framework in parallel.
In 2024, Parliament passed amendments to the Cybersecurity Act that broadened the range of incidents CII owners must report to the CSA, including those involving their supply chains, to improve national situational awareness.
The CSA has also been working with agencies such as the Infocomm Media Development Authority and Enterprise Singapore to expand funding and support schemes aimed at helping SMEs improve cyber hygiene.
National standards such as Data Protection Essentials, the SG Cyber Essentials Mark (CEM), the SG Cyber Trust Mark and ISO/IEC 27001 provide baseline benchmarks for companies seeking to strengthen their cybersecurity posture.
CII owners are legally required to meet strict cyber codes of practice. However, SMEs, including those working with CII operators, are not legally required to comply with such codes.
Instead, cybersecurity standards are often imposed by CII owners through contracts with vendors.
Amendments to the Public Sector Governance Act passed in January have also raised the bar for companies handling sensitive government information. Details on whether specific standards will be made mandatory have not been publicly specified.
Mr Keerthi highlighted the CEM as a practical baseline for SMEs, noting that it sets out essential practices to protect systems, data and networks from common cyber threats.
“The kind of trickle-down effect will very quickly spread across the entire smaller company ecosystem. It raises the baseline for all companies in Singapore and makes us as a whole ecosystem a harder target,” he added.
Continue reading...
The trove of 12,000 documents was leaked from a group allegedly conducting hacking operations while operating publicly as a cybersecurity firm.
CNA is not naming the group for security reasons.
One of the documents lists countries of interest, with Singapore among them.
The files claim that the firms connected to key CII sectors such as telecommunications, energy and finance were compromised.
Tech giant Google’s cybersecurity arm has said there are signs that a state-backed group may have been involved.
Redacted samples of the leaked documents.
“We saw some mentions that Singapore was part of the target regions that were tasked by the customers of that private company to target for collection purposes,” said Mr Lim Yihao, lead threat intelligence advisor for Japan, Asia-Pacific and the Middle East and Africa at the Google Threat Intelligence Group.
He noted that there was “some sort of working relationship between state actors and private contractors”.
However, Mr Lim was cautious in attributing the alleged attack to any particular country.
“The documents could be fabricated, and of course, could be done by somebody else who wants to make another country look bad,” he added.
Cybersecurity experts told CNA that the attack could be the tip of the iceberg of a growing trend of small- and medium-sized enterprises (SMEs) being targeted by hackers.
Because many firms supporting CII operators are SMEs, vulnerabilities may lie further down the digital supply chain, they warned.
SINGAPORE A PRIME TARGET
It is not the first time entities in Singapore have come under attack.
In 2025, Coordinating Minister for National Security K Shanmugam identified the advanced persistent threat group UNC3886 as being behind an ongoing cyberattack on Singapore. It was later revealed that the group was targeting the telco sector.
UNC3886 is described by Mandiant – a cybersecurity firm owned by Google – as a “suspected China-nexus espionage actor” that has targeted prominent strategic organisations globally. The Chinese government has denied any links to UNC3886.
A report from the Cyber Security Agency of Singapore (CSA) found that suspected attacks by advanced persistent threats like UNC3886 surged more than fourfold from 2021 to 2024.
Related:
Mr Adam Meyers, senior vice president of counter adversary operations at US cybersecurity firm CrowdStrike, said Singapore remains among the top five most targeted countries in Asia-Pacific.
“Singapore's very critical and sits at the crossroads of shipping into Asia. (It) is a financial centre across Asia-Pacific and (other countries) would certainly want to collect intelligence about what's coming in, what's going out, where is it going,” he said.
He added that telecommunications systems are particularly valuable from an intelligence perspective, for example when a foreign country is trying to locate dissidents.
“You can actually hunt them down based on their cell phone number and see not just information about them, but where they were moving, who they were with, what they were texting about, things like that,” he noted.
Analysts say these foreign actors could potentially gain access to telcos and other critical infrastructure by first infiltrating the SMEs in their supply chain.
Who are the attackers, and how do they work together?
Attacks on Singapore organisations come from different types of threat actors:
- Ransomware groups: Encrypt or lock data, and threaten to leak it for payment
- Initial Access Brokers (IABs): Breach networks and sell that access to other criminals
- Hacktivists: Politically or ideologically motivated actors, such as the group Anonymous
- State-backed actors: Conduct espionage or strategic operations on behalf of governments
Increasingly, analysts say these roles can overlap.
In some scenarios, a state-backed actor seeking access to a target could obtain entry points or intelligence from criminal groups such as IABs.
With that information, they could rally and direct hacktivists, ransomware or even organised crime groups to launch an attack. Such misdirection can complicate investigations, potentially creating confusion over who is ultimately responsible, experts say.
Ms Jennifer Soh, head of high-tech crime investigation for Asia-Pacific at cybersecurity firm Group-IB, said collaboration between experienced cybercriminals can make attacks “more sophisticated”.
“They will leave little traces, making (it) difficult to investigate them.”
Identifying who is behind an intrusion is crucial for investigators, added Google’s Mr Lim.
“Once we know who is behind this, or which nation, we roughly know what they're after based on the geopolitical tensions that we are seeing, and it helps us to quickly identify what they're after, what are the crown jewels we should protect.”
Collapse Expand
Related:
SMEs THE “WEAKEST LINK”
Singapore’s CII sectors are governed by the Cybersecurity Act, which imposes higher security standards and mandatory incident reporting obligations.
But experts warn that while these companies may be tightly regulated, the ecosystem around them may not be.
CII operators rely on vendors – which include SMEs – for logistics, software development, engineering and professional services.
Yet, many of these smaller firms are not directly regulated under the Act.
In a highly connected digital ecosystem, weaker cybersecurity at smaller vendors can provide threat actors with a foothold that may lead to larger, more strategically important organisations, experts say.
“It is a massive weakness,” said Mr Nicky Choo, vice president and general manager for Asia-Pacific at cybersecurity provider Mimecast.
“Every organisation that does business with every large organisation that's part of the critical infrastructure is a target for attack. So, a lot of cyber attackers now go after the weakest link, which is the easier way in,” he added.
According to the CSA’s Singapore Cyber Landscape 2024/2025 report, ransomware cases rose by 21 per cent in 2024, with 159 incidents recorded.
Manufacturing and professional services were among the most affected, with the majority of the attacks in the professional services industry targeted at SMEs.
Mr Gaurav Keerthi, CEO of cybersecurity firm Strongkeep, said SME incidents may be more common than official numbers suggest.
“It’s a lot of voluntary declaration if there is an incident … But generally, we think there's a massive under-reporting of cases in the SME space.”
He added that attackers are increasingly drawn to smaller firms.
“(They’re) easier to attack. It's gotten more lucrative to get some money out of these smaller companies, and many of them have become more digital in the last few years.”
With over 350,000 SMEs operating in Singapore as of 2024, the sheer volume of smaller firms provides attackers with many potential entry points.
“Unfortunately, the smaller companies, despite being more heavily targeted, continue to be less protected than the rest of the economy,” Mr Keerthi said.
Related:
WHEN A RANSOMWARE ATTACK HITS
For some SMEs, the threat is not theoretical.
In October 2023, freight forwarding firm Penanshin Air Express found itself at the centre of a cyberattack.
A ransomware group locked its employee data, quotes and client information. Two related companies were also compromised, according to the firm’s executive director Bernard Chan.
The attackers demanded US$15 million, which Penanshin ultimately refused to pay.
An email from the attackers who targeted Penanshin Air Express.
Fortunately, its core operational database was not affected.
“We were lucky. The attack didn't hit our critical data. It was only our old data. Business went on as normal,” Mr Chan said.
But because sensitive information was leaked, Penanshin worked closely with the police, the Personal Data Protection Commission and CSA over the next year on investigations.
The incident was a wake-up call for the company, underscoring the sense of helplessness many smaller firms experience in the face of cyberattacks.
“For SMEs, cost is a really big issue. Second, we do not have knowledge about what to do,” Mr Chan said.
The firm eventually tightened its cybersecurity defences with the help of external specialists, installing firewalls, implementing endpoint protection and conducting phishing simulations, even as it continued to face further cyberattack attempts.
“Before that, we didn't have (a) cyber security expert. We don't know anything until things happen,” Mr Chan added.
SMEs FACE COMPETING PRIORITIES
Industry observers say many SMEs like Penanshin are taking cybersecurity more seriously, especially as attacks grow more sophisticated.
Strongkeep, for example, said it has observed growing interest from small firms seeking to strengthen their defences.
But awareness does not automatically translate into action.
The Association of Small and Medium Enterprises (ASME) said many businesses are grappling with economic pressures, rising costs and the push to adopt digital tools such as artificial intelligence – leaving limited bandwidth to prioritise cybersecurity.
“In the next six to nine months, a lot of the focus is going to be around AI and how it's going to make it easier – how do I make it work for me, from an SME perspective? In terms of cyber security, they will (likely) take a business-as-usual approach,” said ASME president Ang Yuit.
Mr Ang said one way to encourage stronger cybersecurity standards is to tie them to business opportunities. Companies that “level up” their cybersecurity could gain greater access to government projects and programmes.
Related:
HOW SINGAPORE IS RAISING THE BAR
Authorities have been tightening the framework in parallel.
In 2024, Parliament passed amendments to the Cybersecurity Act that broadened the range of incidents CII owners must report to the CSA, including those involving their supply chains, to improve national situational awareness.
The CSA has also been working with agencies such as the Infocomm Media Development Authority and Enterprise Singapore to expand funding and support schemes aimed at helping SMEs improve cyber hygiene.
National standards such as Data Protection Essentials, the SG Cyber Essentials Mark (CEM), the SG Cyber Trust Mark and ISO/IEC 27001 provide baseline benchmarks for companies seeking to strengthen their cybersecurity posture.
CII owners are legally required to meet strict cyber codes of practice. However, SMEs, including those working with CII operators, are not legally required to comply with such codes.
Instead, cybersecurity standards are often imposed by CII owners through contracts with vendors.
Related:
Amendments to the Public Sector Governance Act passed in January have also raised the bar for companies handling sensitive government information. Details on whether specific standards will be made mandatory have not been publicly specified.
Mr Keerthi highlighted the CEM as a practical baseline for SMEs, noting that it sets out essential practices to protect systems, data and networks from common cyber threats.
“The kind of trickle-down effect will very quickly spread across the entire smaller company ecosystem. It raises the baseline for all companies in Singapore and makes us as a whole ecosystem a harder target,” he added.
Continue reading...