{
	"id": "f90773c0-46cf-4f8c-b681-52b6b8abb933",
	"created_at": "2026-04-06T01:32:36.469858Z",
	"updated_at": "2026-04-10T03:20:36.061101Z",
	"deleted_at": null,
	"sha1_hash": "d2f6653a4b5e00f9501bd68a305e3a1219ad0455",
	"title": "Russian Attacks Against Singapore Spike During Trump-Kim Summit",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52373,
	"plain_text": "Russian Attacks Against Singapore Spike During Trump-Kim\r\nSummit\r\nBy Authors \u0026 Contributors\r\nArchived: 2026-04-06 01:06:39 UTC\r\nIt’s no secret Russia has been launching a steady barrage of coordinated cyber-attacks against the U.S. as many\r\nsanctions have been issued against Russian officials and businesses since the 2016 Presidential election.1 Beyond\r\nofficial sanctions, the US-Cert issued an alert in April regarding Russia maintaining persistent access to small\r\noffice and home office routers warning of widespread espionage. From June 11 to June 12, 2018, F5 Labs, in\r\nconcert with our data partner, Loryka, found that cyber-attacks targeting Singapore skyrocketed, 88% of which\r\noriginated from Russia. What’s more, 97% of all attacks coming from Russia during this time period targeted\r\nSingapore. We cannot prove they were nation-state sponsored attacks, however the attacks coincide with the day\r\nPresident Donald Trump met with North Korean President Kim Jong-un in a Singapore hotel. The attacks targeted\r\nVoIP phones and IoT devices, which appears to be more than a mere coincidence.\r\nRussia accounted for 88% of the attacks against Singapore on 6/12/2018.\r\nThe attack began out of Brazil targeting port SIP 5060, which is used by IP phones to transmit\r\ncommunications in clear text; this was the single most attacked port.\r\nFollowing this initial phase, the attacks were primarily reconnaissance scans from the Russian IP address\r\n188.246.234.60, targeting a variety of ports.\r\nThe number two attacked port was Telnet, consistent with IoT device attacks that could be leveraged to\r\ngain access to or listen in on targets of interest.\r\nOther ports attacked include the SQL database port 1433, web traffic ports 81 and 8080, port 7541, which\r\nwas used by Mirai and Annie to target ISP-managed routers, and port 8291, which was targeted by Hajime\r\nto PDoS MikroTik routers.\r\nJune 12, 2018 Attacks\r\nApproximately 40,000 attacks were launched between 3:00 p.m. UTC on 6/11/2018, and lasted through 12:00\r\np.m. UTC on 6/12/2018. That translates to 11:00 p.m. through 8:00 p.m. Singapore time on June 12, the day\r\nPresident Trump met with Kim Jong-un in Singapore.2\r\nFigure 1. Timeline of Singapore attacks\r\nNinety-two percent of the attacks collected were reconnaissance scans looking for vulnerable devices; the other\r\n8% were exploit attacks. Thirty-four percent of the attacks originated from Russian IP addresses. China, US,\r\nFrance, and Italy round out the top 5 attackers in this period, all of which launched between 2.5 to 3 times fewer\r\nhttps://www.f5.com/labs/articles/threat-intelligence/russian-attacks-against-singapore-spike-during-trump-kim-summit\r\nPage 1 of 3\n\nattacks than Russia. Brazil, in the sixth position, was the only other country we detected launching SIP attacks\r\nalongside Russia.\r\nFigure 2: Top 10 attack source countries worldwide, June 12, 2018 — Singapore time\r\nSingapore was the top destination of the attacks by a large margin, receiving 4.5 times more attacks than the U.S.\r\nor Canada. Singapore is not typically a top attack destination country; this anomaly coincides with President\r\nTrump’s meeting with Kim Jong-un.\r\nFigure 3. Top 10 attack destination countries, June 12, 2018 — Singapore time\r\nRussia was the primary source of the attacks against Singapore during this period, launching 88% of the attacks.\r\nBrazil was the number two attacker, launching 8% of the attacks against Singapore, and Germany was number\r\nthree with 2% of the attacks. No attempt appears to have been made to conceal the attacks launched from Russia.\r\nThere was also no malware associated with the attacks against Singapore from Russia.\r\nFigure 4. Top 10 source countries of Singapore attacks, June 11, 2018 through June 12, 2018\r\nTop Attacking Russian IP Address\r\nThe majority of the attacks coming from Russia were reconnaissance scans coming from one IP address:\r\n188.246.234.60. The IP is owned by ASN 49505, operated by Selectel. The recon scans were preceded by the\r\nactual attacks against port 5060 that came primarily from Brazil.\r\nAttack Destination Ports\r\nThe following ports in order of prevalence were targeted in the Singapore attacks:\r\n5060 — clear text Session Initiation Protocol (SIP)\r\n23 — Telnet remote management\r\n1433 — Microsoft SQL Server database\r\n81 — Alternate web server port for host-to-host communication\r\n7547 — TCP port used by ISPs to remotely manage routers via the TR-069 protocol\r\n8291 — Remote management port commonly used by MikroTik routers\r\n8080 — Alternate web server port often used for a proxy server or caching\r\nThe SIP port 5060 received 25 times more attacks than port 23 in the #2 position. SIP is an IP phone protocol, and\r\nport 5060 is specifically the non-encrypted port versus port 5061, which is encrypted. It is unusual to see port\r\n5060 as a top attack destination port. Our assumption is that the attackers were trying to gain access to insecure\r\nphones or perhaps the VoIP server. Attacks against this port haven’t been in the news since 2011 when the\r\nSIPVicious VoIP tool was popular.3\r\nhttps://www.f5.com/labs/articles/threat-intelligence/russian-attacks-against-singapore-spike-during-trump-kim-summit\r\nPage 2 of 3\n\nTelnet is the most commonly attacked remote administration port by IoT attackers. It’s very likely these attackers\r\nwere looking for any IoT device they could compromise that could provide them access to targets of interest,\r\nwhich would then enable them to spy on communications and collect data.\r\nPort 7457 is used by ISPs to remotely manage their routers. This protocol is targeted by Mirai and Annie, a Mirai\r\nspinoff that caused millions of dollars of damage to European ISPs in late 2016.4 If any devices in Singapore had\r\nthis port open and were protected with default admin credentials, it is likely the attackers gained access and used\r\nman-in-the-middle attacks to intercept traffic through those devices, collecting data, redirecting traffic, and so on.\r\nPort 8291 was recently attacked by Hajime,5 the vigilante thingbot created to PDoS devices that would otherwise\r\nbe infected by Mirai.6 If any devices in Singapore were listening on this port, and protected with vendor default\r\ncredentials, it is likely the attackers could have gained access.\r\nConclusion\r\nIt is unclear what the attackers were after with the SIP attacks or whether they were successful. We will continue\r\nto analyze the attack data we have collected and update this story as we make new discoveries.\r\nWe do not have evidence directly tying this attacking activity to nation-state-sponsored attacks, however it is\r\ncommon knowledge that the Russian government has many contractors within Russia doing their bidding, and that\r\na successful attack on a target of interest would make its way through to the Kremlin.\r\nIn regard to mitigating the threat of these types of attacks which, in this case, involved IoT devices and databases\r\ndirectly touching the Internet, our advice is to always:\r\nProtect remote administration to any device on your network with a firewall, VPN, or restrict to a specified\r\nmanagement network. Never allow open communication to the entire Internet.\r\nAlways change vendor default administration credentials.\r\nStay up to date with any security patches released by the manufacturer.\r\nSource: https://www.f5.com/labs/articles/threat-intelligence/russian-attacks-against-singapore-spike-during-trump-kim-summit\r\nhttps://www.f5.com/labs/articles/threat-intelligence/russian-attacks-against-singapore-spike-during-trump-kim-summit\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.f5.com/labs/articles/threat-intelligence/russian-attacks-against-singapore-spike-during-trump-kim-summit"
	],
	"report_names": [
		"russian-attacks-against-singapore-spike-during-trump-kim-summit"
	],
	"threat_actors": [],
	"ts_created_at": 1775439156,
	"ts_updated_at": 1775791236,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d2f6653a4b5e00f9501bd68a305e3a1219ad0455.pdf",
		"text": "https://archive.orkl.eu/d2f6653a4b5e00f9501bd68a305e3a1219ad0455.txt",
		"img": "https://archive.orkl.eu/d2f6653a4b5e00f9501bd68a305e3a1219ad0455.jpg"
	}
}