08 Jul 2021
Ransomware incidents, online scams, and COVID-19-related phishing activities dominated cyber landscape in 2020
9,080 cases handled by CSA’s SingCERT in 2020, marking second consecutive year of increase
Singapore, 8 July 2021 – The Cyber Security Agency of Singapore (CSA) released its Singapore Cyber Landscape (SCL) 2020 publication today, revealing an increase in cyber threats such as ransomware and online scams in 2020. CSA’s SingCERT (Singapore Computer Emergency Response Team) handled a total of 9,080 cases in 2020, marking the second consecutive year of increase, compared to 8,491 cases reported in 2019 and 4,977 cases in 2018 respectively. Although the number of phishing incidents remained stable and website defacements declined slightly, malicious cyber activities remain a concern amid a rapidly-evolving global cyber landscape and increased digitalisation brought about by the COVID-19 pandemic (see Appendix A).
Throughout 2020, CSA observed that global threat actors had capitalised on the anxiety and fear wrought by the pandemic, with repercussions felt by individuals and businesses. These threat actors made their presence felt, targeting areas such as e-commerce, data security, vaccine-related research and operations, as well as contact tracing operations. Some of these trends were mirrored locally, where a surge in ransomware incidents as well as the emergence of COVID-19-related phishing activities were seen. These also coincided with the rise of Work-from-Home (WFH) arrangements, as individuals and businesses adopted new technologies to maintain business continuity.
Key Malicious Cyber Activities in 2020
i. Ransomware. 89 ransomware cases were reported to CSA in 2020, a sharp rise of 154 per cent from the 35 cases reported in 2019. The cases affected mostly Small-and-Medium Enterprises (SMEs), and hailed from sectors such as manufacturing, retail and healthcare. The significant increase in local ransomware cases was likely influenced by the global ransomware outbreak, where three distinct characteristics were observed as ransomware operators deployed increasingly sophisticated tactics. They include (a) shifting from indiscriminate, opportunistic attacks to more targeted “Big Game Hunting (BGH)”; (b) the adoption of “leak and shame” tactics; and (c) rise in “Ransomware-as-a-Service” (RaaS) models.
ii. Malicious Command and Control (C&C) Servers & Botnet Drones. In 2020, CSA observed 1,026 malicious C&C servers hosted in Singapore, a 94 per cent increase from the 530 C&C servers observed in 2019. The rise was in part attributed to the increase in C&C servers distributing the highly pervasive Emotet and Cobalt Strike malware, which accounted for one-third of the malware C&C servers observed.
In 2020, CSA detected about 6,600 botnet drones with Singapore IP addresses daily, an increase from 2019’s daily average of 2,300. Variants of the Mirai and Gamarue malware were prevalent among infected botnet IP addresses in 2020, with Mirai malware, which primarily targets Internet-of-Things (IoT) devices, staying strong due to the continuing growth of IoT devices locally.
iii. Phishing. About 47,000 unique Singapore-hosted phishing URLs1 (with a “.SG” domain) were observed in 2020, a slight decrease of 1 per cent compared to 47,500 URLs seen in 2019. Globally, 2020 saw a surge in COVID-19-related phishing campaigns. In Singapore, the overall volume of malicious phishing URLs remained comparable to the figures seen in 2019. COVID-19 themes very likely accounted for over 4,700 of malicious URLs spoofing local entities and services that were in greater demand during Singapore’s circuit breaker period, which included online retail and payment portals.
iv. Website Defacements. 495 ‘.sg’ websites were defaced in 2020, a decrease of 43 per cent from 873 in 2019. The majority of victims were SMEs, and no government websites were affected. The significant fall in 2020 is consistent with global trends and suggests that activist groups could have chosen other platforms with potentially wider reach (e.g. social media) to embarrass their victims and attract visibility for their causes.
v. Cybercrime. The Singapore Police Force reported that cybercrime remained a key concern, with 16,117 cases reported in 2020, up from 9,349 cases in 2019. It accounted for 43 per cent of overall crimes reported in 2020. Online cheating2 cases made up the top cybercrime category in Singapore, recording a rise of almost 62 per cent from 7,580 cases in 2019, to 12,251 cases in 2020. This trend is attributed to the rapid growth of e-commerce, the proliferation of community marketplace platforms and social media platforms as Singaporeans carried out more online transactions due to COVID-19.
Anticipated Cybersecurity Trends
The report highlighted several emerging cybersecurity trends to watch against the backdrop of an increasingly complex and dynamic cyber threat landscape. Near-term trends include:
(a) Evolving Traits of Ransomware Attacks. Ransomware has evolved into a massive and systemic threat, and is no longer restricted to the sporadic and isolated incidents observed. Globally, the recent spate of high-profile ransomware incidents affecting essential service providers and key firms – such as the fuel pipeline company Colonial Pipeline (United States) and meat processing company, JBS (Brazil) - have demonstrated that the attacks could cause real-world effects and harm, and may have the potential to become national security concerns. The proliferation of such attacks spells an urgency for businesses to review their cybersecurity posture and ensure that they build their systems to be resilient in recovering from any successful cyber-attacks.
(b) Targeting of Remote Workforce. Social distancing measures during the COVID-19 pandemic have led to the rapid adoption of remote working. However, poorly configured network and software systems - which are part of the new remote work ecosystems - have widened the attack surface and exposed organisations to greater risk of cyber-attacks.
(c) Increased Targeting of Supply Chains. A successful breach in the supply chain, as seen in the high-profile SolarWinds supply-chain breach at the tail end of 2020, provided cyber threat actors a single pivoting point to multiple victims. While such attacks are not new, they are becoming more sophisticated. The compromise of a trusted supplier or software can result in widespread repercussions worldwide, as victims could include major vendors with huge customer bases.
Other trends that are expected to surface in the mid-term include cybersecurity risks associated with space infrastructure. Cyber threat actors may compromise space infrastructure in order to disrupt activities that they support, or obtain strategic information - that satellites are now capable of yielding - on Earth-bound targets of interest. Another trend expected to continue in the long term includes the mass proliferation of Internet-connected devices.
The Singapore Cyber Landscape: Charting our Cyber-journey
The accelerated pace of digitalisation, coupled with the growing scale and sophistication of cyber threats, has brought into sharper focus the importance of CSA’s work. For the first time, this fifth edition of the SCL report charts CSA’s milestones, since its formation in 2015, across the four Pillars3 of Singapore’s Cybersecurity Strategy launched in 2016. This additional section covers CSA’s collaborations with various stakeholders from the public and private sectors to create a safer cyberspace in Singapore, as well as its efforts to work with international partners to co-create a rules-based multilateral order in cyberspace.
Mr David Koh, Commissioner of Cybersecurity and Chief Executive of CSA, said, “Due to the challenges brought about by COVID-19, 2020 was a watershed for digitalisation efforts across all parts of the economy and society. Unfortunately, the speed and scale at which digital technology was adopted may have led to some risks being taken, and threat actors are capitalising on this. The Government, organisations, and individual users need to work together in order to keep ourselves secure in cyberspace.”
 A Uniform Resource Locater (URL) is a unique, specific web address.
 Online cheating cases are cheating cases in which victims were approached through the Internet, or which involved e-commerce.
 Pillar One: Building a Resilient Infrastructure; Pillar Two: Creating a Safer Cyberspace; Pillar Three: Developing a Vibrant Cybersecurity Ecosystem; Pillar Four: Strengthening International Partnerships
About the Singapore Cyber Landscape 2020
The “Singapore Cyber Landscape 2020” publication reviews Singapore’s cybersecurity situation in 2020 against the backdrop of global trends and events, and highlights Singapore’s efforts in creating a safe and trustworthy cyberspace.
CSA analyses multiple data sources to shed light on the common cyber threats observed in Singapore’s cyberspace. Through case studies of incidents in Singapore, the publication aims to raise awareness of cyber threats amongst cyber stakeholders and the general public, and to offer practical and actionable insights to better defend ourselves against ever-evolving cyber threats. Please refer to this link for a copy of the report.
About the Cyber Security Agency of Singapore
Established in 2015, the Cyber Security Agency of Singapore (CSA) seeks to keep Singapore’s cyberspace safe and secure to underpin our Nation Security, power a Digital Economy and protect our Digital Way of Life. It maintains an oversight of national cybersecurity functions and works with sector leads to protect Singapore’s Critical Information Infrastructure. CSA also engages with various stakeholders to heighten cyber security awareness, build a vibrant cybersecurity ecosystem supported by a robust workforce, pursue international partnerships and drive regional cybersecurity capacity building programmes. CSA is part of the Prime Minister’s Office and is managed by the Ministry of Communications and Information. For more news and information, please visit www.csa.gov.sg.
For media queries, please contact:
Senior Manager, Comms & Engagement Office