Singapore’s cyber threat landscape is being reshaped by a convergence of state-backed espionage, financially motivated cybercrime, and increasingly organized ransomware operations, Cyfirma said in its latest report. The country’s role as a regional financial and technology hub has made it a high-value target for various APT (advanced persistent threat) groups, including UNC3886, Mustang Panda, Volt Typhoon, APT41, and Lazarus Group, which are actively targeting telecommunications, financial institutions, semiconductor firms, and government-linked entities. These hackers deploy sophisticated tactics, including zero-day exploitation, credential harvesting, and stealth persistence techniques to enable long-term intelligence gathering and strategic access.
The report also highlights a thriving cybercriminal underground ecosystem tied to Singapore, with sustained dark web activity involving stolen identity data, financial credentials, and ransomware leak disclosures. Sectors handling high volumes of sensitive data, including telecommunications, healthcare, IT services, and finance, are frequently discussed and traded in underground forums. Ransomware groups, operating under structured RaaS models and opportunistic campaigns, are increasingly using double-extortion tactics that combine data encryption with public exposure, amplifying pressure on victims while expanding financial returns.
Looking ahead, Cyfirma warns of a shift toward hybrid threat models that blend espionage, financial theft, and long-term prepositioning within digital infrastructure. Attackers are increasingly targeting cloud environments, identity systems, and fintech ecosystems, while the integration of IT and operational technology in smart infrastructure introduces new attack pathways into critical services such as utilities and transportation. As digital transformation accelerates across sectors, the expanding attack surface is expected to sustain both nation-state campaigns and cybercriminal operations in the years ahead.
The post highlighted that dark web monitoring indicated a sustained, financially driven threat ecosystem targeting Singapore, characterized by high volumes of breached data circulation, identity-centric datasets, financial credential demand, and sector-specific compromise claims. “Data breach and leak listings dominate overall chatter, accompanied by a marked rise in credit card–related activity and fluctuating ransomware disclosures, underscoring a monetization-focused underground economy. Sectoral discussions show concentration on telecommunications & media and healthcare, alongside consistent targeting of IT, financial services, and professional service providers, industries aggregating large volumes of personal and transactional data.”
Notably, multiple high-impact listings involving citizen NRIC-linked datasets, healthcare records, financial trading platforms, e-commerce customer bases, and administrative system access suggest both opportunistic exploitation and deliberate acquisition of high-integrity identity data. Collectively, the observed activity reflects a mature threat marketplace prioritizing data resale, fraud enablement, account takeover, and long-term identity exploitation, reinforcing Singapore’s position as a high-value digital and financial target within the regional cybercriminal ecosystem.
This comes as dark web chatter associated with Singapore demonstrates sectoral concentration, with telecommunications and media (49 mentions) emerging as the most discussed industry, reflecting persistent interest in subscriber data, communication infrastructure access, and large-scale personal datasets. Healthcare (19) shows a significant February spike, indicating increased circulation or monetization of medical-related data, which carries high black-market value due to identity and insurance fraud potential.
“Lower but notable activity across Consumer Goods, Government & Civic, Energy, and Logistics sectors suggests broad opportunistic scanning rather than isolated targeting,” Cyfirma reported. “Overall, the distribution reflects a data-centric threat economy prioritizing sectors that aggregate large volumes of personal, financial, or infrastructure-linked information, with telecommunications and healthcare showing the strongest recent momentum in underground discussions.”
Moving to ransomware attacks, Cyfirma reported that the December 2025 to February 2026 assessment indicates a stable but persistent ransomware threat environment in Singapore, characterized by consistent monthly incident volumes and concentrated actor activity.
“While overall case numbers remained steady, the landscape was led by Qilin as the most active operator, with additional contributions from LockBit5, Everest, Safepay, and several lower-frequency groups, reflecting a mix of structured RaaS-driven campaigns and opportunistic intrusions,” the post noted. “Targeting patterns demonstrate a clear preference for data-intensive and service-oriented sectors, particularly Professional Goods & Services and Information Technology, alongside continued pressure on Finance, Government-linked entities, and infrastructure-adjacent industries. Collectively, these indicators point to financially motivated actors maintaining sustained interest in Singapore’s high-value economic sectors, leveraging double-extortion models and sectoral interconnectedness to maximize impact and monetization potential.”
Between December 2025 and February 2026, ransomware activity targeting Singapore held steady rather than spiking, with seven incidents in December, a brief dip to five in January, and a return to seven in February.
The January slowdown likely reflects operational pauses, post-holiday disruption cycles, or delays in leak-site disclosures rather than any meaningful drop in underlying compromises. The February rebound points to sustained threat actor focus and a stable pace of operations. Taken together, the pattern signals consistent ransomware pressure, reinforcing that Singapore remains a reliable target for financially motivated operators rather than one experiencing episodic surges.
During the same period, ransomware activity impacting Singapore reflects a moderately fragmented but Qilin-dominant threat landscape, with Qilin (six incidents) emerging as the most active operator, accounting for the largest share of observed victim listings. This is followed by LockBit5 (three), while Everest (two) and Safepay (two) show secondary but consistent presence.
The remaining activity is distributed across single-incident ransomware gangs, such as Tengu, Nova, Devman, Incransom, 0apt, and Insomnia, indicating opportunistic or low-frequency targeting rather than sustained campaigns. Overall, the data suggests a hybrid environment where one primary RaaS actor maintains repeated operational focus on Singapore-based entities, while multiple smaller or emerging groups test access footholds.
Clearly, the concentration of activity among a limited number of groups implies structured affiliate-driven targeting rather than random victim selection, and the presence of both established (LockBit lineage) and lesser-known actors signals continued attractiveness of Singapore-based organizations for data exfiltration and double-extortion operations.
Recent vulnerability exploitation trends targeting Singapore indicate sustained scanning and compromise attempts against high-severity remote code execution flaws affecting web servers, enterprise applications, and network edge devices. The majority of the identified CVEs carry critical CVSS scores ranging from 9.8 to 10.0, enabling full system compromise with minimal interaction. Notably, 14 out of the 15 listed vulnerabilities have publicly available exploit code, significantly increasing exposure by lowering the technical barrier for both opportunistic threat actors and state-aligned groups. This high exploit availability, combined with the continued presence of legacy and internet-facing systems, reinforces the elevated risk environment for organizations operating in Singapore.
Cyfirma identified that Singapore’s cyber threat landscape is defined by the convergence of state-backed espionage, financially driven cybercrime, and active underground data markets.
Nation-state actors, including UNC3886, Mustang Panda, Volt Typhoon, APT41, and Lazarus Group, are targeting high-value sectors such as telecommunications, fintech, semiconductors, government, and regional corporate hubs, exploiting unpatched systems and network infrastructure while using credential abuse, living-off-the-land techniques, and stealthy persistence for long-term access. At the same time, dark web activity reflects strong demand for Singapore-linked data, while ransomware groups increasingly focus on service industries and IT providers to maximize extortion pressure.
Singapore’s 2026 event calendar creates multiple high-visibility targets for cyber threat actors across global events, strategic conferences, and critical infrastructure sectors. The telecommunications sector continues to face sustained risk following Operation Cyber Guardian, which revealed persistent targeting of major providers. National events such as the National Day Parade present opportunities for disruption or disinformation campaigns, while initiatives like Singapore Ocean Week introduce risks from activist-driven activity and industrial espionage. Together, these events underscore how Singapore’s global profile expands its attack surface during periods of concentrated international attention.
Cyfirma noted that the country’s forward-looking cyber risk is increasingly defined by hybrid threat models that combine espionage, financial crime, and long-term prepositioning. Threat actors are using generative AI to sharpen social engineering and business email compromise, including deepfake impersonation and highly tailored phishing targeting government, fintech, and regional operations.
At the same time, advanced groups are shifting toward cloud and virtualized environments, exploiting identity systems, APIs, and management layers to establish persistent access. Supply-chain risks are also rising, with attackers targeting managed service providers and IT integrators to reach multiple organizations through a single breach.
Infrastructure-level vulnerabilities remain a key concern, particularly as attackers continue to exploit edge devices such as firewalls, VPNs, and telecom systems for stealthy, high-privilege access.
Ransomware tactics are evolving toward data theft without encryption to increase pressure through regulatory and reputational risk, especially in finance, healthcare, and professional services. Financial platforms, including cryptocurrency exchanges and cross-border payment systems, face growing threats tied to monetization and sanctions evasion. At the same time, deeper integration between IT and operational technology in smart infrastructure is expanding potential attack paths into utilities, transport, and building systems, further widening Singapore’s exposure.
Singapore’s cyber risk outlook points to a sustained mix of state-backed espionage and financially driven cybercrime, fueled by rapid digital expansion across government, finance, telecom, and manufacturing. As the attack surface grows, APT groups are expected to continue targeting telecommunications, cloud environments, and regional corporate networks for intelligence gathering and prepositioning. This comes as cybercriminals exploit vulnerabilities, stolen credentials, and supply chains to drive ransomware, fraud, and data monetization. The country’s role as a global connectivity and fintech hub ensures it remains a high-value target.
At the same time, Singapore’s strong cybersecurity governance and institutional capabilities position it well to counter these risks. Continued focus on threat intelligence, proactive vulnerability management, coordinated incident response, and supply-chain security, alongside deeper public–private collaboration and improved detection of stealthy threats, will be critical. With a proactive and coordinated approach, Singapore can strengthen resilience and maintain its standing as a secure digital economy in the Asia-Pacific region.
Cyfirma recommended that Singapore’s cybersecurity posture should prioritize stronger resilience across critical infrastructure by adopting zero-trust principles in telecommunications, cloud, and virtualization environments, while continuously assessing compromise risks in edge devices, firewalls, and hypervisors. Segmentation between OT and enterprise IT is essential to limit lateral movement. At the same time, vulnerability governance must accelerate through risk-based patching aligned with active threats, reduced remediation timelines for internet-facing assets, and continuous monitoring of external attack surfaces to identify exposed services and shadow IT.
Detection and response capabilities need to shift toward behavior- and anomaly-driven approaches, supported by proactive threat hunting for credential abuse and suspicious internal activity, alongside integration of sector-specific intelligence.
Ransomware defenses should focus on immutable backups, strict access controls, and simulation exercises that reflect evolving extortion tactics. Financial and digital asset ecosystems require stronger transaction monitoring, API security, and resilience testing, while supply-chain security must be reinforced through stricter vendor oversight, monitoring of third-party access, and greater transparency in software components. Continuous dark web monitoring and rapid response to credential exposure are also critical. Finally, preparedness at the executive and workforce level, including targeted training and scenario-based exercises, will be key to improving response readiness against espionage and cybercrime threats.
