Singapore’s advanced digital infrastructure and status as a regional data hub are drawing sophisticated cyberattacks and serving as a proving ground for emerging threats. The city-state recorded the highest number of ransomware variants globally last year, according to the Cyber Threat Landscape Report 2025 by Singapore-headquartered cybersecurity firm Ensign InfoSecurity.
“It’s very likely that threat groups like to use Singapore’s digital infrastructure as testbeds before they go after more digitally mature markets… or as a trusted supply chain pathway to gain access to regional or global targets,” says Teo Xiang Zheng, Ensign InfoSecurity’s vice president of Advisory, in a media briefing.
The report found that the technology, media and telecommunications (TMT) industry was the most targeted, given its role as the backbone of the digital economy and cyber supply chain.
“Compromising this industry gives threat actors multiple avenues of access to potential targets and victims, including sectors like banking, which have access to money and the public sector, which holds sensitive information that interested parties can leverage,” adds Teo.
How threat actors use AI
Organised crime groups remain the predominant threat actors targeting Singapore, drawn by its position as an international financial hub.
See also: Why board directors should undergo cyber crisis simulation training
Increasingly, these groups are using artificial intelligence (AI) to sharpen their attacks. According to Teo, AI is making phishing campaigns more convincing by improving language quality and enabling multi-channel strategies, where attackers initiate contact on one platform before moving victims to another to complete a transaction. This not only obscures digital trails but also confuses victims, thereby boosting the odds of a successful compromise.
Sumit Dhawan, CEO of cybersecurity company Proofpoint, agrees. “We have enough data points to indicate that cyber attackers are using generative AI tools to craft phishing emails. Whether in Japanese, Thai, or Vietnamese, those malicious emails are now professionally written with little to no grammatical errors as language is no longer a barrier with generative AI,” he tells The Edge Singapore.
Teo notes that AI is also enhancing reconnaissance, allowing attackers to scan target systems for vulnerabilities with precision rather than relying on scattershot “spray-and pray” tactics.
See also: Australia's privacy regulator file proceedings against Optus over cyberattack of 2022
Moreover, AI is accelerating ransomware evolution. He points to the LockBit strain, which has gone through five iterations in just two and a half years. This development pace, he says, “far outstrips the conventional software cycle, where even the largest technology companies might only release a major update annually.”
Ensign’s report further shows a rise in activity from state-sponsored and hacktivist groups, fuelled by geopolitical and trade tensions. State-sponsored actors increasingly use “pre-positioning” tactics (or infiltrating networks in advance to enable future espionage or disruption) while hacktivists are accelerating the creation of exploit platforms.
Cybercriminals get collaborative
Threat groups are no longer lone operators. “The cyber underground today functions as an illicit, dynamic and highly collaborative marketplace. These alliances, combined with widening supply chain vulnerabilities, have made threat groups more capable, persistent and difficult to dislodge,” shares Teo.
This collaboration sees ransomware operators, hacktivists and Initial Access Brokers (IABs) working together, with each specialising in a phase of an attack and pursuing multiple revenue streams.
According to Ensign, IABs active in Asia Pacific are often mercenary outfits. While some are tied to specific Ransomware-as-a Service (RaaS) groups, others will sell to the highest bidder. Increasingly, they follow a “breach once, sell to many” model, wherein they secure initial access for a RaaS affiliate programme during a priority window, then resell that same access to other parties once the embargo period ends.
IABs may also steal sensitive data during breaches to sell separately, a practice known as infostealing. To gain access, many are moving beyond stolen passwords to target authentication tokens such as session keys and OAuth credentials. This is despite the abundant leaked usernames and passwords from regional users available on underground forums.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
“Just because an organisation has resolved one cyber incident doesn’t mean it won’t be attacked again. We’ve seen a substantial number of double or even multiple extortions by the same [cybercriminal organisation against the same victim],” says Teo.
As for state-sponsored groups, they have been observed to subcontract parts of their campaigns to other threat actors, further complicating attribution. This multi-stakeholder participation (from reconnaissance to initial access to payload deployment) blurs the lines between independent criminals and nation state operations.
“Attribution is extremely difficult – using the boxing analogy, the last person’s glove that hit you might not be the mastermind behind it. So, it is [more] important for us to focus on the behaviours, profiling the state sponsored category of threat groups and what they are doing [rather than attributing attacks to a particular country],” Teo advises.
The people aspect
Humans tend to be the primary entry point for cyber attackers. Proofpoint’s State of the Phish 2024 report found that 70% of employ ees in Singapore engage in risky behaviours, such as reusing passwords or clicking links from unknown senders, despite knowing the risks. Convenience, time pressure and urgen cy were the most common reasons.
“The biggest cyber threat is still the basic phishing attack. Don’t overspend your focus on what you’re going to do with AI if you haven’t solved the foundational issue,” advises Dhawan.
He stresses the importance of human centric security, which focuses on placing employee behaviour at the heart of cyber defence strategies. Rather than rigid rules, the approach uses behavioural analytics and adaptive training to align protection with how employees actually work.
For example, Proofpoint’s AI-driven platform uses intent-based detection to spot suspicious communications across email, WhatsApp and other channels. The system analyses factors such as the sender’s identity, domain registration date, threat intelligence, changes in tone and whether the message seeks credentials or money. It can then warn the user or block the message entirely.
The platform also learns each user’s typical activity and flags anomalies. “If an employee suddenly zips up a bunch of files, sends them to their personal email address and applies for jobs on LinkedIn, that’s clearly something anomalous,” Dhawan says.
Depending on the situation, the system may alert the user or block the action. “Sometimes, nudging is enough to deter someone. Other times, the system blocks the action to ensure confidential information doesn’t leave the organisation.”
However, detection and blocking are not sufficient. “Fundamentally, we believe it’s al about human risk management. Regardless of how good anyone is at blocking threats, there will be threats that get past. If we don’t believe that, we’re fooling ourselves.”
That belief underpins Proofpoint’s ZenGuide solution that uses simulations and exercises to strengthen employee resilience. It analyses which threats are targeting the organisation and who is being targeted before creating simulations that mirror real-world attacks. Employees are tested, coached and scored on their responses, with feedback on both successes and failures.
Over time, this builds a measurable “human risk score” that improves with each exercise. The goal, Dhawan notes, is to instil safer behaviour through nudging, targeted training, simulations and gamification.
Enhancing organisational cyber resilience
To build organisational cyber resilience, Ensign urges organisations to tie key risk indicators directly to threat-informed scenarios and map them to security monitoring metrics, updating them frequently during incidents to guide decisions.
Organisations should also adopt the “3-2 1-1” backup strategy, in which three copies of data are stored on two types of media, with one kept offline and immutable. Golden images, or clean system snapshots, should be maintained to enable full rebuilds from the last known good state, too.
Additionally, asset inventories should be complete and integrated with threat intelligence, enabling proactive monitoring and hunting for adversarial behaviour.
Automation and AI can help scale monitoring, focusing on tactics, techniques and procedures used by attackers. System configurations — from cloud services and hypervisors to browsers, email clients and network devices — should also be reviewed to tighten authentication, restrict access and disable unnecessary features.
Finally, incident response should be fully integrated into crisis management to ensure coordinated action across communications, stakeholder engagement, forensics, continuity and recovery. It should also be strengthened through industry and regulatory collaboration.
