Chinese hackers using Singapore-The “Singapore Pivot”Details
Generated using GeminiAI /Posted 07 March 2026
The primary network identified in these operations is AS132203, which is registered to Tencent Building, Kejizhongyi Avenue, but operates a massive node in Singapore. This network is often labeled in firewall logs as Tencent-NET-AP-CN.
Identified Threat IP Ranges
While the hackers use thousands of rotating addresses, security analysts (including Cloudflare and AbuseIPDB) have repeatedly flagged these specific blocks in Singapore for brute-force and DDoS activity:
Known “Hot” IP Addresses
The following individual IPs have been frequently reported for targeting Australian news CMS (Content Management Systems) like WordPress and Ghost:
-
43.134.35.92 -
43.156.12.221 -
124.156.207.67 -
129.226.215.97
Tactics Used Against Australian Media
Unlike broad financial hacking, the attacks on news platforms from these Tencent Singapore nodes are highly specific:
-
Bot Masking: The traffic uses common browser “User Agents” (e.g., Mozilla/5.0 Windows NT 10.0) to mimic real readers from Sydney or Melbourne, making it harder for standard firewalls to block them.
-
SSH & API Exploitation: The hackers target the SSH port (22) and API endpoints of Australian news servers. They attempt to gain administrative access to change headlines, delete archives, or install “rootkits” that allow them to monitor journalist communications.
-
The “Silent Heist”: In late 2025, the Australian Signals Directorate (ASD) warned of a “silent heist” trend where state-linked actors (like UNC3886) stay inside a news network for months without causing damage, simply to exfiltrate contact lists and private drafts.
Why Singapore?
Singapore is used because it is a “Goldilocks Zone” for hackers:
-
Geopolitics: It is a neutral, trusted hub. Traffic from Singapore to Australia is rarely viewed with the same suspicion as traffic directly from mainland China.
-
Speed: The low-latency connection via undersea cables ensures that DDoS attacks have maximum “punch” before they can be mitigated.
Recommended Actions for News Publishers
If you are seeing hits from these ranges in your logs, security experts suggest:
-
Geofencing: If your primary audience is in Australia, consider “Challenge” mode (CAPTCHA) for all traffic originating from Singapore IP blocks, especially those assigned to Tencent/Q-Cloud.
-
ASN Blocking: Block or rate-limit the entire AS132203 (Tencent) if you do not have legitimate business traffic from their cloud services.
-
Hardening: Ensure all administrative logins use MFA (Multi-Factor Authentication) and change default SSH ports to non-standard high ports (e.g., above 50,000).