Money heist: Why cybercriminals are zeroing in on Singapore

Image courtesy of Jisun Han.

Despite Singapore’s advanced IT and cybersecurity status in Southeast Asia, cybercriminals remain undeterred. In fact, a string of high-profile data breaches have been recorded over the last few months, raising questions about firms’ cybersecurity postures and the gaps that allowed hackers to succeed.

In this special report, Frontier Enterprise reviewed some of the data breaches that shook the nation in 2024 and consulted several experts about the implications for businesses and the overall economy.


In mid-April, cyber thieves hacked the Ministry of Education (MoE) via a third-party vendor. According to the Ministry, the systems of mobile device management firm Mobile Guardian were breached, leading to unauthorised access to the names and email addresses of parents and school staff from five primary and 122 secondary schools.

“Mobile Guardian is a device management application (DMA) installed on students’ personal learning devices to allow parents to manage students’ device usage by restricting applications, websites, and screen time,” the MoE said.

The Ministry further clarified that its DMA is separate from Mobile Guardian’s user management portal and is therefore still secure.

Also in April, law firm Shook Lin & Bok suffered a ransomware attack, although it did not detail the extent of the data breach. Meanwhile, ransomware news website SuspectFile alleged that the law firm paid the Akira ransomware group US$1.4 million in Bitcoin.

On June 8, the Cyber Security Agency of Singapore (CSA), the Singapore Police Force and the Personal Data Protection Commission jointly released a statement about the Akira ransomware group, after receiving reports from several organisations affected by the threat.

First observed in March 2023, “the Akira threat group operates as an affiliate-based ransomware threat group, targeting both Windows and Linux systems under a ‘ransomware-as-a-service’ model. The Akira threat group provides its software and infrastructure to cybercriminal groups (affiliates) in return for a percentage of any ransom paid by victim organisations,” the statement read.

Around the same period, two more prominent Singaporean organisations have been hit by a ransomware attack: seafood restaurant chain Jumbo Group, and mall operator Mustafa. Both did not disclose the severity of the attack.

Abhishek Kumar Singh, Manager, Security Engineering, Check Point Software Technologies. Image courtesy of Check Point Software Technologies.

According to a recent study by Sophos, ransomware payments worldwide have increased by 500% in 2024, with the average ransomware payment in Singapore amounting to US$1,584,130.

Although the incidence of ransomware attacks in Singapore has dropped from 84% in 2023 to 64% in 2024, the latter figure is still higher compared to the global average of 59%.

Singapore organisations were also attacked 1,464 times per week on average over the last six months, compared to 1,375 globally, as revealed by Check Point’s recent Threat Intelligence Report.

“Top malware threats include four botnets, one banking trojan (Darkgate), one remote access trojan (AsyncRat) and one downloader (FakeUpdates), while the top three most attacked industry in Singapore in the last six months are government/military (3,514), retail/wholesale (1,495), and utilities (1,455),” said Abhishek Kumar Singh, Manager, Security Engineering at Check Point Software Technologies.

Why, then, are cybercriminals focused on Singapore?

In IMDA’s inaugural Digital Economy Report, published in 2023, the country’s digital economy in 2022 comprised 17% of its GDP, up from 13% in 2017. The information and communication industry was identified as the fastest-growing sector from 2017 to 2022, due to the strong growth of sub-sectors like games, online services, and e-commerce.

Kelvin Lim, Senior Director, Security Engineering, Synopsys Software Integrity Group. Image courtesy of Synopsys Software Integrity Group.

Moreover, “Singapore has high levels of connectivity, with 99% of resident households connected to the internet, and 98% of households with school-going children having access to computers,” IMDA revealed in its 2023 Digital Society Report. Likewise, 97% of Singapore residents own a smartphone.

Indeed, cybercriminals view Singapore as a gold mine waiting to be ransacked, remarked Kelvin Lim, Senior Director, Security Engineering, Synopsys Software Integrity Group.

“Cybercriminals are viewing the nation as a global financial centre that is thriving, resulting in attempts to get a slice of the pie. These recent attacks come in a broad spectrum of cyberattacks, ranging from highly sophisticated targeted assaults to mass phishing and ransomware campaigns — showing that these bad actors are becoming more sophisticated in their attacks,” he said.

Paradigm shift

Globally, ransomware detections and email threats have both gone down by 42%, yet there are still simultaneous attacks happening, especially in Singapore, Trend Micro’s latest report revealed.

This phenomena can be attributed to several factors, according to David Ng, Managing Director for Singapore, Philippines, and Indonesia at Trend Micro.

“Firstly, companies are becoming more transparent about being victims of cyberattacks due to both stricter regulations and an understanding of the reputational risks involved in non-disclosure,” he said.

David Ng, Managing Director for Singapore, Philippines, and Indonesia, Trend Micro. Image courtesy of Trend Micro.

“Secondly, we have observed that globally, threat actors are becoming more selective in their targets and more skilled in bypassing early detection layers. For instance, in the case of malicious emails, instead of launching large-scale attacks that rely on victims clicking on malicious links in websites and emails, cybercriminals are now targeting a smaller pool of higher-profile victims with more sophisticated attacks that evade network and email filters,” Ng added.

Meanwhile, another expert described cybercrime as a lucrative business, emphasising that enterprises should not be caught off-guard.

“Victims may succumb to paying ransom, and there are secondary markets sprouting that offer services of wannabe hackers such as ransomware as a service. Even someone who is not technical or knowledgeable could become a threat actor. Furthermore, the increase in legacy routers or IoT devices being exploited are creating botnets of devices used to launch attacks or run phishing campaigns,” noted Cheah Wai Kit, Senior Director, Product Management and Security Practice at Lumen Technologies.

In addition, hackers are also capitalising on the vulnerability of Singapore SMEs, and are thus intensifying attacks on that front, Cheah said.

“Many of these SMEs may be operating without much protection against cyberthreats and think that they are unlikely to be a target for a cyberattack. There is also a general lack of knowledge, skill sets or experiences among some of these organisations to implement the necessary cybersecurity controls to safeguard themselves,” he explained.

Proactive vs reactive approach

Although there is no perfect security solution that can address every threat, enterprises can prepare for a variety of scenarios instead of hoping they won’t be attacked anytime soon.

David Chan, Managing Director, Adnovum Singapore. Image courtesy of Adnovum Singapore.

Experts differ in their estimation of the percentage of Singapore organisations practising proactive threat hunting, but one thing is clear — the numbers are not encouraging.

According to Adnovum’s David Chan, only about 30% of Singapore organisations conduct proactive threat hunting. Lumen’s Cheah Wai Kit, on the other hand, believes the number is lower than 10%. Both experts agreed that cost is a significant factor in this dilemma, as many businesses, particularly SMEs, simply do not have the budget for proactive threat hunting.

Chan identified several other reasons why only a handful of organisations engage in proactive threat hunting:

  • Lack of awareness.
  • Misconceptions that only large enterprises can take on such projects.
  • Integration challenges.
  • One-time project mentality.
  • Reactive mindset (alert-driven security).

Experts agree that proactive threat hunting will benefit enterprises in the long run, as it stops potential threats in their tracks before they can cause significant damage.

Leonard Sim, Manager Sales Engineering, ASEAN, Sophos. Image courtesy of Sophos.

“Cyberattacks do not just happen in a flash. Instead, they are often built over time through a series of escalating steps to gain control of the victim’s environment before launching the final attack. Therefore, proactive threat hunting is crucial in identifying early indicators that a threat actor has compromised the environment before the actual attack is launched,” said Leonard Sim, Manager Sales Engineering, ASEAN, Sophos.

Having a mindset of an “assumed breach,” according to Cheah, will help enterprises seek out threat actors who might already be lurking inside their network.

“Sophisticated threat actors could potentially lurk for weeks or even months, waiting patiently to find their way to an organisation’s crown jewels before exfiltrating confidential data. This is referred to as dwell time. On average, the dwell time of a hidden attacker could be up to 280 days. Proactive threat hunting is one of the methods aimed at finding these threats to minimise dwell time and prevent the damage before the attacker can cause harm,” he said.

Organisations must keep in mind that proactive threat hunting requires a certain level of cybersecurity maturity and organisational readiness. Hence, those with less mature security and limited cybersecurity awareness programmes may struggle to implement and operationalise such an initiative, Singh pointed out.

“In times like these, a multi-layered defence with zero-trust architecture and a focus on adopting a prevention-first mindset is key,” he said.

Government push

One major initiative by the Singaporean government to tackle the rising sophistication of cyberthreats is the recent approval of proposed amendments to the CyberSecurity Act of 2018. The new law will expand the powers of the CSA over critical information infrastructure owners, among other things.

According to Cheah, the new requirement for prompt reporting of data breaches will allow quicker responses to cyberthreats and significantly improve threat intelligence.

Cheah Wai Kit, Senior Director, Product Management and Security Practice, Lumen Technologies. Image courtesy of Lumen Technologies.

“By aggregating and analysing incident reports from multiple sources, there can be a better understanding of emerging threats, attack trends, and vulnerabilities, enabling organisations and authorities to develop more effective strategies for cyber defence and risk management,” he said.

Cheah added that the new law will encourage greater accountability and transparency, fostering greater trust and confidence in Singapore’s digital ecosystem. Under the provisions of the new law, organisations will be penalised for failing to maintain their cybersecurity measures and incident reporting capabilities.

To facilitate readiness against current and emerging threats, Synopsys’ Kelvin Lim advocated for integrating cybersecurity into the school curriculum.

“As we are living in a digital-centric world, having cybersecurity as a subject in school would help the next generation build a strong foundation of security knowledge for the future and thus improve overall security practices,” he said.

Meanwhile, one of the pressing concerns for cybersecurity is the lack of skilled talent. To address this, Trend Micro signed a Memorandum of Understanding with Singapore’s Institute of Technical Education (ITE) in 2023 to train up to 3,000 students over the next three years.

“Even as we develop more tools to help automate processes and improve efficiencies, it is important for the industry to work together with the government to keep nurturing young cybersecurity talent,” Trend Micro’s David Ng said.

Fighting back

Threat actors are always innovating new strategies to penetrate enterprises’ defences. As the saying goes, “Criminals don’t need to get it right all the time. They just need to get it right once.”

An attacker can come in from anywhere, at any time. This is why adopting a multi-layered defence strategy is crucial given the current state of advanced threats.

“A unified and integrated architectural design ensures that various security layers — network, cloud, application, endpoint, and email security — can exchange contextual data seamlessly. This enables the generation of actionable insights for real-time prevention, encompassing both on-premises and cloud environments,” Singh noted.

Some other components of a multi-layered defence strategy, according to Adnovum’s David Chan are as follows:

  • Advanced threat detection and response — Deploy AI and machine learning to identify and respond to threats in real time, addressing sophisticated attacks like malware.
  • Strong authentication and authorisation — Implement multi-factor authentication and biometric verification as emphasised by Singapore’s Safe App Standard.
  • Secure data storage and encryption — Use encryption and secure data storage to protect sensitive information.
  • Regular security updates — Ensure timely updates and patches to close security vulnerabilities.
Patrick Tiquet, VP of Security & Compliance, Keeper Security. Image courtesy of Keeper Security.

Moreover, 24/7 threat monitoring and detection will help prevent any surprises when businesses wake up in the morning, Sophos’s Leonard Sim said.

“A recent study by the Sophos Rapid Response team found that threat actors are tailoring the timings of attacks to after local office hours and weekends, as they believe that victims would have less monitoring during those periods,” he said.

Meanwhile, as AI is continuously being leveraged to launch attacks, enterprises must be aware of how such methods are being carried out in order to counter them, Patrick Tiquet, VP of Security & Compliance at Keeper Security, said.

“Keeper Security’s recent report reveals that 84% of IT leaders surveyed globally acknowledge that phishing and smishing have become more difficult to detect with the rise in popularity of AI-powered tools. This trend emphasises the importance of comprehensive training for employees to identify and mitigate such threats,” the executive observed.

To augment workforce education measures, organisations should also adopt zero-trust architecture and zero-knowledge software to protect passwords, privileged access, secrets and remote connections, he continued.

In the end, even the best security defence cannot repel every attack. The key, therefore, is to detect them early, and be prepared to take action, noted Trend Micro’s David Ng.

“That requires an incident response plan with business continuity measures and cybersecurity insurance considerations built in. Working out how to keep the business running is critical to overcoming and staying ahead of cyberthreats,” he concluded.