Adversary Intelligence
8
mins read

Cybersecurity in Focus: Recent Threats Targeting Singapore Amid National Day Celebrations

The report "Cybersecurity in Focus: Recent Threats Targeting Singapore Amid National Day Celebrations" highlights the escalating cyber threats faced by Singapore in recent months. These include a surge in ransomware attacks impacting over 30 victims across 15 industry sectors, with notable breaches involving Singapore's Ministry of Finance and Moneylenders Credit Bureau. Hacktivist groups have also intensified their activities, leading to significant data breaches, including the sale of personal data of Singaporean citizens on underground forums. The report emphasizes the urgent need for enhanced cybersecurity measures to protect sensitive information and mitigate the growing risks.

CloudSEK TRIAD
August 9, 2024
Green Alert
Last Update posted on
September 13, 2024

Schedule a Demo
Table of Contents
Author(s)
Coauthors image
CloudSEK TRIAD

Category: Adversary Intelligence

Region: Singapore

TLP: GEEEN

In the past few months, we have observed growing threats to Singapore's cybersecurity landscape. This report underscores the increasing cyber threats faced by Singapore, marked by a surge in ransomware attacks that have impacted over 30 victims across 15 industry sectors.

Significant data breaches also include leaks from the Ministry of Finance and Moneylenders Credit Bureau Singapore, with compromised databases recently surfacing on underground forums, including sensitive personal data and financial records.

Additionally, the activities of hacktivist groups such as RipperSec, Tengkorak Cyber Crew, Z_BL4CK_H4T, Zenimous Crew, and Sulawesi Cyber Team have targeted Singapore, contributing to the heightened cyber risk. Furthermore, stolen personal data from Singaporean citizens has appeared for sale, increasing the risks of identity theft and financial fraud.

CloudSEK has been proactively monitoring these threats in the Singapore region, ensuring timely detection and response to protect against potential damage and safeguard organizational and individual interests.

Recent Cyber Attacks on Singapore

Ransomware:

In Singapore, ransomware attacks have heavily affected multiple sectors, with over 30 victims identified from 2023 to the current date. Various ransomware groups have been responsible for these attacks, with Lockbit being the most active. The cyberattacks have impacted a wide array of industries, leading to significant disruptions and financial damage.

The chart below displays statistics highlighting all the sectors affected by ransomware in Singapore over the past year.

Ransomware industry specific 2023-2024 statistics

The graph below illustrates statistics showing all the ransomware groups that have been active in Singapore over the past year.

Most active ransomware groups in Singapore 2023-2024 statistics

Top 5 active ransomware groups targeting Singapore:

  1. Lockbit: Lockbit is a notorious ransomware group known for its widespread and aggressive attacks on various sectors, using sophisticated encryption techniques to demand substantial ransoms. Lockbit has targeted 10 victims from Singapore across various industry sectors in the past year. The affected organizations span technology, semiconductors, security, 3D printing, education, and payroll services.
  2. 8base: The 8Base ransomware group, active since early 2023 with roots in smaller campaigns from 2022, has targeted four organizations in Singapore over the past year across the technology, business advisory, luxury goods, and manufacturing sectors.
  3. Bianlian: BianLian ransomware first emerged in early 2022 and has been targeting entities from various sectors across the world. In Singapore, BianLian has affected three organizations across different industries: travel, finance, and construction.
  4. Toufan: Cyber Toufan is a sophisticated hacktivist group that emerged in 2023. Unlike other hacktivist groups known for DDoS and website defacement attacks, Toufan has targeted various entities in Israel and their supporters with ransomware. In Singapore, Toufan has affected two companies in the technology and telecommunications sectors over the past year. 
  5. RAworld: The RA World ransomware, operated by the threat actor group RA Group, first emerged in 2023. Over the past year, it has affected two victims in Singapore, targeting organizations in the transportation sector and financial services.

Data Breaches:

This section details recent significant data breaches impacting Singapore, highlighting the compromised databases of key institutions and the sale of sensitive personal information. These breaches underscore the critical risks associated with unauthorized access to personal and financial data, and the potential for identity theft, financial fraud, and operational disruptions.

Singapore's Ministry of Finance (MOF) data breach: 

  • On July 21, 2024, the threat actor "IMPORTANT_LEAK" was observed selling a database from Singapore's Ministry of Finance (MOF) on an underground forum. The database, containing 1.5 million entries with names, access dates, visit dates, server details, local API information, and IP addresses, was compromised. The threat actor recently joined the forum, and has been linked to selling databases from government entities globally.
  • This breach poses significant risks, including potential unauthorized access to sensitive financial systems, exposure of personal information, and increased vulnerability to further attacks. 

Singapore's Ministry of Finance database posted for sale on an Underground forum 

Moneylenders Credit Bureau Singapore data breach:

  • On July 23, 2024, the threat actor GHOSTR posted on an underground forum, claiming to have stolen 54.6 GB of data, including 324,362 MLCB reports from Moneylenders Credit Bureau Singapore. Each report includes the borrower’s personal details, loan information, payment status, and guarantor’s status.
  • The breach not only exposes sensitive personal and financial information but also includes a substantial amount of data from the MLCB. This raises significant risks of identity theft, fraud, and financial harm. The threat actor has been seen targeting entities across various sectors and countries.

Threat actor’s post on Moneylenders Credit Bureau Singapore

Absolute Telecom data breach:

  • The same threat actor has also been seen posting data belonging to Absolute Telecom, a Singapore-based telecommunications company, on the forum.

Threat actor’s post on Singapore’s Telecom company 

Singapore's Ministry of Foreign Affairs email dump: 

  • On August 6, 2024, a threat actor named l33tfg, who recently joined the forum, posted an email dump from Singapore's Ministry of Foreign Affairs. The actor suggested that the data could be used for mass mailing and spear phishing attacks.
  • The breach of the Ministry of Foreign Affairs Singapore's email dump poses significant risks, including targeted phishing and spear phishing attacks that could lead to identity theft and financial fraud. This may damage the ministry’s reputation, disrupt its operations, and undermine public trust. Additionally, Singaporean citizens could face heightened risks of phishing scams and exploitation.

Threat actor’s post on Underground forum 

Databases containing personal information of Singaporean citizens:

  • Threat actors have been observed posting databases containing personal information of Singaporean citizens. These databases include sensitive details such as names, addresses, email addresses, and phone numbers, among other data.
  • The sale of such personal data can have severe repercussions for Singaporean citizens:some text
    • Identity Theft: With access to personal details, criminals can impersonate individuals, opening bank accounts, applying for loans, or committing other forms of fraud in the victims' names.
    • Phishing Attacks: The detailed personal information can be used to craft convincing phishing schemes, tricking individuals into revealing additional sensitive information or accessing malicious links.
    • Spam and Scams: Victims may be targeted with increased spam emails and scam phone calls, which can lead to further exploitation or financial losses.
    • Financial Fraud: Access to personal data can facilitate various types of financial fraud, such as credit card fraud or fraudulent transactions, leading to financial damage for the victims.

Database containing personal data of Singaporean citizens for sale 
Database containing personal data of Singaporean citizens  

Database containing phone numbers of wealthy Singaporean citizens for sale 

Sale of PII and Credit Card Information

Threat actors have been observed selling personally identifiable information (PII) and credit card details from Singapore on various forums and marketplaces. Stolen PII is frequently used in identity theft, financial fraud, and other cybercrimes, as it provides sufficient information to impersonate individuals and carry out fraudulent activities.

Sale of PII and Credit Card Information from Singapore

Hacktivist Attacks in Singapore:

  • Hacktivist groups such as RipperSec, Tengkorak Cyber Crew, Z_BL4CK_H4T, Zenimous Crew, and Sulawesi Cyber Team | Indonesia, among others, have been targeting Singapore in response to its support of Israel. 
  • These groups have engaged in DDoS attacks, website defacement, and the leaking of databases purportedly belonging to their targets. These actions could potentially lead to significant disruptions, compromised security, and data breaches for affected organizations.

Hacktivists groups targeting Singapore

Threat Actor Purchase Requests on Underground Forums Targeting Singapore:

  • Threat actors have been observed seeking the purchase of services aimed at targeting Singapore.
  • A threat actor was recently seen requesting large quantities of MD5 decryption data from various regions, including Singapore, which could facilitate unauthorized access to sensitive information.
  • Additionally, another threat actor was also recently seen requesting for dehashed data related to Tigerair, potentially allowing misuse of airline information and compromising passenger security.
  • This could lead to significant disruptions and financial harm to affected organizations.

Purchase request for MD5 decryption data

Purchase request for data related to Tigerair

The recent surge in cyber threats and attacks on Singapore has revealed a critical need for enhanced cybersecurity measures, as ransomware incidents, data breaches, and other malicious activities continue to disrupt operations and expose sensitive information, leading to significant financial and reputational damage.

Recommendations

  • Enhance Cybersecurity Measures
    • Implement advanced threat detection and response systems to identify and mitigate ransomware attacks and other malicious activities early.
    • Regularly update and patch systems to protect against vulnerabilities exploited by ransomware and other cyber threats.
  • Strengthen Data Protection Policies
    • Enforce strict access controls and encryption for sensitive data to prevent unauthorized access and data breaches.
    • Conduct regular audits and vulnerability assessments to identify and address potential weaknesses in data protection strategies.
  • Educate and Train Staff
    • Provide cybersecurity awareness training to employees to recognize and respond to phishing attempts, social engineering, and other cyber threats.
    • Develop and test incident response plans to ensure preparedness for handling data breaches and cyber attacks effectively.
  • Monitor and Respond to Threats
    • Continuously monitor underground forums and dark web activity for signs of threats targeting your organization or sector.
    • Collaborate with cybersecurity companies like CloudSEK to track and respond to emerging threats and mitigate potential risks.
  • Secure Personal Data
    • Implement strong data privacy measures to protect personally identifiable information (PII) from unauthorized access and sale.
    • Ensure compliance with data protection regulations and industry standards to safeguard personal and financial information.
  • Improve Incident Reporting and Communication
    • Establish clear protocols for reporting and managing data breaches and cyber incidents to minimize damage and expedite recovery.
    • Communicate transparently with affected parties and stakeholders to maintain trust and provide guidance on mitigating the impact of data breaches.

Reference

CloudSEK’s flagship digital risk monitoring platform XVigil contains a module called “Underground Intelligence” which provides information about the latest Adversary, Malware, and Vulnerability Intelligence, gathered from a wide range of sources, across the surface web, deep web, and dark web.

Author

CloudSEK TRIAD

CloudSEK Threat Research and Information Analytics Division

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
No items found.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Adversary Intelligence

8

min read

Cybersecurity in Focus: Recent Threats Targeting Singapore Amid National Day Celebrations

The report "Cybersecurity in Focus: Recent Threats Targeting Singapore Amid National Day Celebrations" highlights the escalating cyber threats faced by Singapore in recent months. These include a surge in ransomware attacks impacting over 30 victims across 15 industry sectors, with notable breaches involving Singapore's Ministry of Finance and Moneylenders Credit Bureau. Hacktivist groups have also intensified their activities, leading to significant data breaches, including the sale of personal data of Singaporean citizens on underground forums. The report emphasizes the urgent need for enhanced cybersecurity measures to protect sensitive information and mitigate the growing risks.

Authors
CloudSEK TRIAD
CloudSEK Threat Research and Information Analytics Division
Co-Authors
CloudSEK TRIAD

Category: Adversary Intelligence

Region: Singapore

TLP: GEEEN

In the past few months, we have observed growing threats to Singapore's cybersecurity landscape. This report underscores the increasing cyber threats faced by Singapore, marked by a surge in ransomware attacks that have impacted over 30 victims across 15 industry sectors.

Significant data breaches also include leaks from the Ministry of Finance and Moneylenders Credit Bureau Singapore, with compromised databases recently surfacing on underground forums, including sensitive personal data and financial records.

Additionally, the activities of hacktivist groups such as RipperSec, Tengkorak Cyber Crew, Z_BL4CK_H4T, Zenimous Crew, and Sulawesi Cyber Team have targeted Singapore, contributing to the heightened cyber risk. Furthermore, stolen personal data from Singaporean citizens has appeared for sale, increasing the risks of identity theft and financial fraud.

CloudSEK has been proactively monitoring these threats in the Singapore region, ensuring timely detection and response to protect against potential damage and safeguard organizational and individual interests.

Recent Cyber Attacks on Singapore

Ransomware:

In Singapore, ransomware attacks have heavily affected multiple sectors, with over 30 victims identified from 2023 to the current date. Various ransomware groups have been responsible for these attacks, with Lockbit being the most active. The cyberattacks have impacted a wide array of industries, leading to significant disruptions and financial damage.

The chart below displays statistics highlighting all the sectors affected by ransomware in Singapore over the past year.

Ransomware industry specific 2023-2024 statistics

The graph below illustrates statistics showing all the ransomware groups that have been active in Singapore over the past year.

Most active ransomware groups in Singapore 2023-2024 statistics

Top 5 active ransomware groups targeting Singapore:

  1. Lockbit: Lockbit is a notorious ransomware group known for its widespread and aggressive attacks on various sectors, using sophisticated encryption techniques to demand substantial ransoms. Lockbit has targeted 10 victims from Singapore across various industry sectors in the past year. The affected organizations span technology, semiconductors, security, 3D printing, education, and payroll services.
  2. 8base: The 8Base ransomware group, active since early 2023 with roots in smaller campaigns from 2022, has targeted four organizations in Singapore over the past year across the technology, business advisory, luxury goods, and manufacturing sectors.
  3. Bianlian: BianLian ransomware first emerged in early 2022 and has been targeting entities from various sectors across the world. In Singapore, BianLian has affected three organizations across different industries: travel, finance, and construction.
  4. Toufan: Cyber Toufan is a sophisticated hacktivist group that emerged in 2023. Unlike other hacktivist groups known for DDoS and website defacement attacks, Toufan has targeted various entities in Israel and their supporters with ransomware. In Singapore, Toufan has affected two companies in the technology and telecommunications sectors over the past year. 
  5. RAworld: The RA World ransomware, operated by the threat actor group RA Group, first emerged in 2023. Over the past year, it has affected two victims in Singapore, targeting organizations in the transportation sector and financial services.

Data Breaches:

This section details recent significant data breaches impacting Singapore, highlighting the compromised databases of key institutions and the sale of sensitive personal information. These breaches underscore the critical risks associated with unauthorized access to personal and financial data, and the potential for identity theft, financial fraud, and operational disruptions.

Singapore's Ministry of Finance (MOF) data breach: 

  • On July 21, 2024, the threat actor "IMPORTANT_LEAK" was observed selling a database from Singapore's Ministry of Finance (MOF) on an underground forum. The database, containing 1.5 million entries with names, access dates, visit dates, server details, local API information, and IP addresses, was compromised. The threat actor recently joined the forum, and has been linked to selling databases from government entities globally.
  • This breach poses significant risks, including potential unauthorized access to sensitive financial systems, exposure of personal information, and increased vulnerability to further attacks. 

Singapore's Ministry of Finance database posted for sale on an Underground forum 

Moneylenders Credit Bureau Singapore data breach:

  • On July 23, 2024, the threat actor GHOSTR posted on an underground forum, claiming to have stolen 54.6 GB of data, including 324,362 MLCB reports from Moneylenders Credit Bureau Singapore. Each report includes the borrower’s personal details, loan information, payment status, and guarantor’s status.
  • The breach not only exposes sensitive personal and financial information but also includes a substantial amount of data from the MLCB. This raises significant risks of identity theft, fraud, and financial harm. The threat actor has been seen targeting entities across various sectors and countries.

Threat actor’s post on Moneylenders Credit Bureau Singapore

Absolute Telecom data breach:

  • The same threat actor has also been seen posting data belonging to Absolute Telecom, a Singapore-based telecommunications company, on the forum.

Threat actor’s post on Singapore’s Telecom company 

Singapore's Ministry of Foreign Affairs email dump: 

  • On August 6, 2024, a threat actor named l33tfg, who recently joined the forum, posted an email dump from Singapore's Ministry of Foreign Affairs. The actor suggested that the data could be used for mass mailing and spear phishing attacks.
  • The breach of the Ministry of Foreign Affairs Singapore's email dump poses significant risks, including targeted phishing and spear phishing attacks that could lead to identity theft and financial fraud. This may damage the ministry’s reputation, disrupt its operations, and undermine public trust. Additionally, Singaporean citizens could face heightened risks of phishing scams and exploitation.

Threat actor’s post on Underground forum 

Databases containing personal information of Singaporean citizens:

  • Threat actors have been observed posting databases containing personal information of Singaporean citizens. These databases include sensitive details such as names, addresses, email addresses, and phone numbers, among other data.
  • The sale of such personal data can have severe repercussions for Singaporean citizens:some text
    • Identity Theft: With access to personal details, criminals can impersonate individuals, opening bank accounts, applying for loans, or committing other forms of fraud in the victims' names.
    • Phishing Attacks: The detailed personal information can be used to craft convincing phishing schemes, tricking individuals into revealing additional sensitive information or accessing malicious links.
    • Spam and Scams: Victims may be targeted with increased spam emails and scam phone calls, which can lead to further exploitation or financial losses.
    • Financial Fraud: Access to personal data can facilitate various types of financial fraud, such as credit card fraud or fraudulent transactions, leading to financial damage for the victims.

Database containing personal data of Singaporean citizens for sale 
Database containing personal data of Singaporean citizens  

Database containing phone numbers of wealthy Singaporean citizens for sale 

Sale of PII and Credit Card Information

Threat actors have been observed selling personally identifiable information (PII) and credit card details from Singapore on various forums and marketplaces. Stolen PII is frequently used in identity theft, financial fraud, and other cybercrimes, as it provides sufficient information to impersonate individuals and carry out fraudulent activities.

Sale of PII and Credit Card Information from Singapore

Hacktivist Attacks in Singapore:

  • Hacktivist groups such as RipperSec, Tengkorak Cyber Crew, Z_BL4CK_H4T, Zenimous Crew, and Sulawesi Cyber Team | Indonesia, among others, have been targeting Singapore in response to its support of Israel. 
  • These groups have engaged in DDoS attacks, website defacement, and the leaking of databases purportedly belonging to their targets. These actions could potentially lead to significant disruptions, compromised security, and data breaches for affected organizations.

Hacktivists groups targeting Singapore

Threat Actor Purchase Requests on Underground Forums Targeting Singapore:

  • Threat actors have been observed seeking the purchase of services aimed at targeting Singapore.
  • A threat actor was recently seen requesting large quantities of MD5 decryption data from various regions, including Singapore, which could facilitate unauthorized access to sensitive information.
  • Additionally, another threat actor was also recently seen requesting for dehashed data related to Tigerair, potentially allowing misuse of airline information and compromising passenger security.
  • This could lead to significant disruptions and financial harm to affected organizations.

Purchase request for MD5 decryption data

Purchase request for data related to Tigerair

The recent surge in cyber threats and attacks on Singapore has revealed a critical need for enhanced cybersecurity measures, as ransomware incidents, data breaches, and other malicious activities continue to disrupt operations and expose sensitive information, leading to significant financial and reputational damage.

Recommendations

  • Enhance Cybersecurity Measures
    • Implement advanced threat detection and response systems to identify and mitigate ransomware attacks and other malicious activities early.
    • Regularly update and patch systems to protect against vulnerabilities exploited by ransomware and other cyber threats.
  • Strengthen Data Protection Policies
    • Enforce strict access controls and encryption for sensitive data to prevent unauthorized access and data breaches.
    • Conduct regular audits and vulnerability assessments to identify and address potential weaknesses in data protection strategies.
  • Educate and Train Staff
    • Provide cybersecurity awareness training to employees to recognize and respond to phishing attempts, social engineering, and other cyber threats.
    • Develop and test incident response plans to ensure preparedness for handling data breaches and cyber attacks effectively.
  • Monitor and Respond to Threats
    • Continuously monitor underground forums and dark web activity for signs of threats targeting your organization or sector.
    • Collaborate with cybersecurity companies like CloudSEK to track and respond to emerging threats and mitigate potential risks.
  • Secure Personal Data
    • Implement strong data privacy measures to protect personally identifiable information (PII) from unauthorized access and sale.
    • Ensure compliance with data protection regulations and industry standards to safeguard personal and financial information.
  • Improve Incident Reporting and Communication
    • Establish clear protocols for reporting and managing data breaches and cyber incidents to minimize damage and expedite recovery.
    • Communicate transparently with affected parties and stakeholders to maintain trust and provide guidance on mitigating the impact of data breaches.

Reference

CloudSEK’s flagship digital risk monitoring platform XVigil contains a module called “Underground Intelligence” which provides information about the latest Adversary, Malware, and Vulnerability Intelligence, gathered from a wide range of sources, across the surface web, deep web, and dark web.