Hackers breach Singapore networks for 2.5 weeks before detection

North Korea-linked hackers and AI risks test firms’ defences.

Nearly half (47%) of Singapore’s ransomware victims failed to detect network breaches until after their corporate data had already been stolen, a catastrophic spike from just 15% last year. 

According to a new ExtraHop report, this defensive breakdown comes as enterprise operations struggle to counter mounting alert fatigue, prolonged attacker dwell times, and weaponized AI-related security risks.

“Adversaries had access to enterprise networks for nearly 2.5 weeks on average before being detected in ransomware incidents,” the report said.

In addition, 16% only became aware of the attack after receiving a ransom demand, compared with 1% previously.

The two most detected threat groups within Singapore’s enterprise networks were Lazarus Group, a North Korea-linked state-sponsored group, and RansomHub, an independent cybercriminal group.

Other groups included Midnight Blizzard, also known as APT29, Nobellium, or Cozy Bear; ALPHV, also known as BlackCat; and APT41, also known as Wicked Panda, Double Dragon, and Brass Typhoon.

The findings come as the city-state remains exposed to enterprise cyberattacks in Southeast Asia. Previous data from Kaspersky showed that Singapore was one of the region’s top targets for Remote Desktop Protocol and exploit attacks.

Kaspersky added that Singapore accounted for over 70,000 of the more than 2 million exploit attacks it blocked against businesses in Southeast Asia in 2025.

ExtraHop said 42% of respondents reported that attackers used encrypted channels to bypass detection, whilst 38% cited alert fatigue as a reason a critical alert was delayed or deprioritised.

Another 37% said attacker activity mirrored legitimate workflows and processes, whilst 33% said adversaries used valid, high-privilege account permissions.

Meanwhile, AI systems have also emerged as a major enterprise attack surface. Nearly a third, or 32%, of Singapore respondents cited AI agents, agentic infrastructure, and generative AI applications as the biggest cybersecurity risk to their organisation.

In a separate QBE survey, nearly four in 10 businesses in Singapore experienced at least one AI-related cyber event in the past year, the highest rate amongst the markets it covered.

The risk has also drawn regulatory attention. The Monetary Authority of Singapore has convened major financial institutions to discuss AI-enabled cyber threats, as the government warned that advanced models are making cyberattacks faster and more sophisticated.

“When you look at the big picture of modern cyber risk, the thread connecting every major challenge, from missed detections and prolonged dwell times to AI false positives, is a fundamental lack of situational awareness, or ground truth,” Raja Mukerji, co-founder and chief scientist at ExtraHop, said.

“As threat actors leverage AI to scale their operations, defenders are countering with automated operations that don’t have the context required to make definitive decisions,” Mukerji added.

The report also found that 85% of respondents identified security incidents, data exposures, or near misses where the root cause was an AI system.

These included third-party or supply chain breaches involving a vendor’s integrated AI or agent mishandling data or creating a vulnerability, cited by 41% of respondents.

Compromised AI identity and session theft followed at 40%, whilst shadow AI exposure was cited by 33%.