Phishing and Ransomware Continue to Pose Significant Risks to Organisations and Individuals Drop Seen in Number of Infected Infrastructure

Published on 23 Jun 2023

Singapore, 23 June 2023 – The Cyber Security Agency of Singapore (CSA) released the Singapore Cyber Landscape (SCL) 2022 publication today. The publication provides a comprehensive picture of the cybersecurity threat landscape in Singapore. CSA observed that, in 2022, phishing, which is a key conduit for scams and other malicious cyber activities, posed an increased threat to organisations and individuals. In line with global trends, ransomware continues to be a key concern in Singapore, with around one ransomware case reported every three days on average.  The number of infected infrastructure (formerly known as Command & Control (C&C) servers and Botnet Drones) saw a drop in Singapore despite a sharp growth of infected infrastructure observed worldwide.

Key Malicious Cyber Activities in 2022

  1. Phishing. There were around 8,500 phishing attempts reported to the Singapore Cyber Emergency Response Team (SingCERT) in 2022, more than double the 3,100 cases handled in 2021. More than 50 per cent of reported cases involved URLs ending with “.xyz” – a popular top-level domain (TLD)1 among threat actors given its low cost and limited restrictions on usage. The average length of reported phishing links decreased by almost half, suggesting that threat actors are using URL shortener services more frequently to mask their malicious intent and track the click-through rate of their phishing campaigns. The most commonly-spoofed were Banking and Financial Services, Government and Logistics. More than 80 per cent of reported phishing sites masqueraded as entities within the Banking and Financial Services sector. They are often targets of phishing attacks as they are trusted institutions which hold sensitive and valuable information such as personal details and login credentials. Overall, the increase in reported phishing attempts mirrored global trends, with multiple cybersecurity vendors observing that phishing activities grew substantially in 2022. In all, SingCERT facilitated the takedown of 2,918 malicious phishing sites in 2022.
  2. Ransomware incidents. Ransomware remains a major issue both in Singapore and globally, with cybersecurity vendors reporting a 13 per cent increase in ransomware incidents worldwide in 2022. In Singapore, the number of reported ransomware cases saw a slight decrease with 132 cases reported to CSA in 2022, compared to the 137 cases reported in 2021. The cases affected mostly Small-and-Medium Enterprises (SMEs) from sectors such as manufacturing and retail, as they may hold valuable data as well as Intellectual Property (IP), which cybercriminals often seek to extort and monetise for financial gain. Many of such firms also lack dedicated resources to counter cyber threats.
  3. Infected Infrastructure2. In 2022, CSA observed 81,500 infected systems in Singapore, a decrease of 13 per cent from 94,000 in 2021. Despite a sharp growth of infected infrastructure observed worldwide, Singapore’s global share of infected infrastructure fell from 0.84 per cent in 2021 to 0.34 per cent in 2022. While this decrease in infected infrastructure in Singapore points to an improvement in cyber hygiene levels, the absolute number of infected systems in Singapore remains high. The top three malware infections on locally-hosted C&C servers were Colbalt Strike, Emotet and Guloader, while Gamarue, Nymaim and Mirai were the top three malware found on locally-hosted botnet drones, accounting for nearly 80% of Singapore IP addresses infected by malware in 2022. 
  4. Website Defacements. 340 ‘.sg’ websites were defaced in 2022, a decrease of 19 per cent from 419 in 2021. Most victims were SMEs. The downward trend could be attributed to hacktivist activities moving to other platforms with potentially wider reach, such as social media. In general, a downward trend in global website defacements was observed - with the exception of Ukraine and Russia, which have seen hacktivist activities spike amidst the ongoing conflict, including the defacement of more than 70 Ukrainian government websites just before hostilities broke out.

Anticipated Cybersecurity Trends 

2   The SCL 2022 report also highlighted several trends to watch: 

(a) Ransom for Reputation. Given the spate of high-profile data breaches in 2022 globally, organisations might consider mitigating reputational damage as a more compelling reason to pay the ransom than regaining access to their encrypted data.  As such, while threat actors will continue to rely on extortion, actual ransomware deployments may decline. Ransomware-as-a-Service (RaaS) providers might turn their attention to focus more on data exfiltration and public shaming on “leak sites”. With the general willingness of the industry and the public to accept news of a data breach at face value, a threat actor might also conjure fictional breaches by publicising repackaged data from prior breaches or information fused through open-source data scraping.

(b) Artificial Intelligence (AI) for Bad and Good. AI is a double-edged sword that can be adopted by attackers and defenders alike. It is expected to be increasingly incorporated for cybersecurity, with an anticipated growth in market size from US$22.4 billion in 2023 to US$60.6 billion in 2028. Specifically, the use of Natural Language Processing (NLP) and Machine Learning (ML) technologies can empower the creation of an evolving baseline to provide real-time insights for ascertaining potential cyber-attacks. As AI becomes more accessible and advanced, threat actors may leverage such technology for their nefarious activities, such as to launch highly-targeted spear-phishing campaigns. Threat actors may also get more creative in the use of AI-enabled deepfakes to impersonate C-suite executives to facilitate account takeovers, business fraud, or impact the share price or reputation of an organisation. 

(c) Systemic Risks from Economic Adversity. The Russia-Ukraine conflict brought about financial pressures and a rise in cost of living. Inflation remains high in many countries and the International Monetary Fund anticipates a global economic downturn this year. Economic adversity create opportunities which threat actors can exploit via phishing. They capitalise on psychological weaknesses as potential victims are more inclined to explore opportunities to make up for personal financial shortfalls. Impending economic adversity also leads organisations to scrutinise their budgets closely and focus on cutting what is perceived as nonessential expenditure. Cybersecurity is often seen by uninformed C-suites as an overhead rather than an essential function. Tighter cybersecurity budgets and fewer resources may translate to subpar security postures across organisations, an asymmetry which will be capitalised by threat actors, thereby amplifying the risks of ransomware attacks and breaches.

CSA’s Efforts to Strengthen Collective Cybersecurity Posture

3   In 2022, CSA issued the Second Edition of the Cybersecurity Code of Practice (CCoP) to help Critical Information Infrastructure (CII) owners better address emerging risks, combat sophisticated cyber-attacks and build coordinated defences between the government and the private sectors. CSA also published a paper on the CII Supply Chain Programme, detailing Singapore’s approach to mitigate cyber supply chain risks and uplift the cyber resilience of Singapore’s essential services through five foundational initiatives. These include a toolkit for CII owners to help them identify and rate cyber supply chain risks and a vendor certification programme that recognises efforts made by vendors among CII owners to align their baseline security hygiene to national regulations and international standards.

4   An inter-agency Counter Ransomware Task Force (CRTF) was convened last year to develop and make recommendations on possible policies, operational plans and capabilities to improve Singapore’s counter ransomware efforts. The CRTF released a report which serves as a blueprint to drive Singapore’s efforts to foster a resilient and secure cyber environment, domestically and internationally, to counter the growing ransomware threat. 

5   In 2021, CSA launched the SG Cyber Safe Programme to help organisations in Singapore better protect themselves in the digital domain and enhance their cybersecurity. Under the programme, CSA introduced cybersecurity toolkits developed for different enterprise roles. For example, the toolkits developed for business leaders and SME owners provides them with information on how they can engage their technical personnel to provide cybersecurity leadership in an organisation. Since its launch, these toolkits have been downloaded more than 9,000 times. For organisations that have implemented cybersecurity and are ready for it to be their competitive advantage, CSA developed cybersecurity certifications in the form of Cyber Essentials and Cyber Trust marks – targeted at SMEs and larger organisations respectively. Since its launch, more than 100 organisations have been certified or are in the process of being certified. 

6   In order to provide better support for SMEs to protect themselves from cyber-attacks, CSA will be launching a scheme in Q3 of 2023 to provide subsidised cybersecurity consultancy services and tailored cybersecurity health plans to help SMEs work towards national cybersecurity certification such as attaining CSA’s Cyber Essentials mark. Cybersecurity consultants will take on the role of the SMEs’ “Chief Information Security Officers” or CISO, akin to providing a CISO-as-a-Service (CISOaaS) to SMEs facing manpower constraints in hiring cybersecurity personnel.  

7   In October last year, CSA launched the Internet Hygiene Portal (IHP), a one-stop platform for enterprises, providing them with easy access to resources and self-assessment tools, so that they can adopt internet security best practices in their digitalisation journey. The IHP also provides visibility on the cyber hygiene of digital platforms through an Internet Hygiene Rating (IHR) table. Since its launch, the IHP has been used by both local and overseas entities to conduct more than 60,000 website and email scans, with more than 2,300 scanned domains across different enterprise sectors showing an improvement in their internet hygiene. CSA will be publishing the internet hygiene ratings of the Healthcare sector this month.

8   CSA will also launch a new national cybersecurity campaign later this year, focusing on raising awareness and driving adoption of good cybersecurity practices. The national campaign augments existing efforts by CSA to target various stakeholders including students and seniors under SG Cyber Safe Students and Seniors Programmes. In collaboration with various government agencies, such as the Ministry of Education, Singapore Police Force (SPF) and Infocomm Media Development Authority (IMDA), CSA reaches out to the target groups through platforms such as roadshows, videos and games. Initiatives such as the Go Safe Online Pop-up and Go Safe Online Drama Skit for students have reached 280 schools, libraries, and community spaces, while CSA has engaged more than 80,000 seniors under the SG Cyber Safe Seniors Programme since the launch of the programmes in 2019 and 2021 respectively.  

9   Mr David Koh, Commissioner of Cybersecurity and Chief Executive of CSA, said: “2022 saw a heightened cyber threat environment fuelled by geopolitical conflict and cybercriminal opportunism as COVID-19 restrictions began to ease. Emerging technologies, like Chatbots, are double-edged, as with many new technologies.  While we should be optimistic about the opportunities it brings, we have to manage its accompanying risks. The government will continue to step up our efforts to protect our cyberspace, but we need businesses and individuals to play their part too, so that we can fully reap the benefits of our digital future.”

1 A TLD is one of the domains at the highest level of the hierarchical Domain Name System of the Internet, and usually forms the last text segment in a website’s domain name, such as .com or .net.
Compromised devices within SG cyberspace abused by attackers for malicious purposes, such as conducting DDoS attacks or distributing malware and spam.

About the Singapore Cyber Landscape 2022

The “Singapore Cyber Landscape 2022” publication reviews Singapore’s cybersecurity situation in 2022 against the backdrop of global trends and events, and highlights Singapore’s efforts in creating a safe and trustworthy cyberspace.

CSA analyses multiple data sources to shed light on the common cyber threats observed in Singapore’s cyberspace. Through case studies of incidents in Singapore, the publication aims to raise awareness of cyber threats among cyber stakeholders and the general public, and to offer practical and actionable insights to better defend ourselves against ever-evolving cyber threats. Please refer to this link for a copy of the report.

About the Cyber Security Agency of Singapore 

Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cyber security awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes. CSA is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information. For more news and information, please visit 




Report a Cybersecurity Incident

SingCERT encourages the reporting of cybersecurity incidents as it enables us to better understand the scope and nature of cyber incidents in Singapore. This will enable us to issue alerts or advisories on relevant threats, and assist a broader range of individuals and organisations.
Report Incident