The Cyber Security Agency of Singapore (CSA) says hackers exploited unpatched routers at multiple organisations last year before installing malicious tools that could survive subsequent security updates.
The campaign was uncovered on Feb 13, 2025, after the agency received information on related global activity. It was opportunistic rather than aimed at particular organisations, according to the agency’s Singapore Cyber Landscape 2025/2026 report.
Attackers created unauthorised administrator accounts and installed malicious tools directly on the routers. The agency did not identify the affected organisations or say how many devices were compromised.
Response teams scanned network-connected devices at affected organisations for signs that the attackers had moved further into their systems. No additional footholds were found, according to the report.
In some cases, remediation required the routers’ firmware to be re-flashed. Delays in applying patches were linked to incomplete asset visibility, limited staffing and weak cyber-hygiene practices. The affected equipment was managed either by small in-house teams or external vendors.
The finding comes as CSA warns that artificial intelligence (AI) is reducing the time needed to identify vulnerabilities and carry out attacks. Agentic AI systems could automate parts of an intrusion that previously unfolded over days, compressing them into hours.
See also: South Korea fines Coupang record US$409 mil for data leak
Singapore detected 284,300 infected infrastructure systems in 2025, a 142% increase from the previous year. The increase was driven mainly by persistent malicious infrastructure activity and improved detection of infected botnet devices, according to CSA.
The total is separate from the router campaign, but CSA cited consumer internet-connected devices with weak configurations or unpatched firmware as creating more opportunities for botnet operators.
Separately, advanced threat actor UNC3886 attempted to intrude into Singapore’s four major telecommunications operators in 2025.
See also: Roblox wants deluge of child sex abuse cases moved out of court
The government’s Operation Cyber Guardian contained the incident without disrupting telecom services, and investigators found no evidence that customer data had been compromised. The operation was Singapore’s largest coordinated cyber incident response to date, according to CSA.
“In today’s accelerating and increasingly complex threat landscape, major challenges such as AI and quantum loom ahead. We need to lock down, find first, and fix fast. We must tighten up and harden systems before threat actors can find footholds. Discover vulnerabilities before they are exploited. And when gaps are found, close them faster than threat actors can act. This cycle should be continuous, rather than point-in-time checks,” says David Koh, commissioner of Cybersecurity and chief executive of CSA.
He continues: “We are working closely with global partners and industry to ensure that fast-evolving technologies strengthen, rather than undermine, our collective security. Together – industry, government, and citizens – we can build a future where digital innovation thrives in tandem with trust and security.”
