The year 2025 witnessed a marked escalation in cyber assaults on critical infrastructure in Asia, underscoring the region's vulnerability amid rapid digitalisation. In the Asia-Pacific region, over 200 targeted attacks were identified from more than 150,000 incidents, with critical sectors, such as government systems and manufacturing, bearing the brunt.
Southeast Asia emerged as a hotspot, plagued by advanced persistent threats (APTs) often attributed to state actors. Chinese hackers, for instance, conducted ongoing espionage campaigns against telecom, government, and manufacturing entities in the region.
Singapore publicly acknowledged cyber espionage targeting its critical infrastructure, attributing it to groups linked to foreign actors and emphasising the need for heightened vigilance. Similarly, in Hong Kong and markets such as the Philippines and Thailand, APT groups exploited unpatched systems, resulting in disruptions to the energy and transportation sectors.
These incidents align with global projections: Gartner anticipated that 30% of critical infrastructure organisations would face breaches in 2025, a forecast borne out by real-world events. Malware infections surged by 67% in Singapore alone, as per the Singapore Cyber Landscape 2024–2025 report, primarily due to unpatched vulnerabilities.
In Malaysia and Thailand, ransomware attacks on utilities and healthcare infrastructure highlighted the geopolitical undertones, with actors like Volt Typhoon infiltrating networks for long-term sabotage. The Philippines reported weekly cyber intrusions, often tied to supply chain compromises.
For CISOs and CIOs, these attacks signal a shift: AI-matured threats, such as adaptive ransomware, now evade detection more effectively, demanding strategies that prioritise recovery over mere prevention.
Vulnerable critical infrastructure
Amid this threat landscape, three key vulnerabilities stand out in Southeast Asia and Hong Kong, particularly in legacy-heavy sectors like manufacturing and utilities.
First, unpatched vulnerabilities and legacy systems continue to be a pervasive weakness. Many organisations in Singapore, Malaysia, and Thailand operate outdated operational technology (OT) that lacks modern security features, making them susceptible to zero-day exploits. In the Philippines and Hong Kong, rapid urbanisation has outpaced infrastructure updates, leading to malware proliferation through unpatched entry points.
As Cohesity vice president of sales for ASEAN, Lim Hsin Yin notes, "According to the Singapore Cyber Landscape 2024–2025 report, malware infections increased 67%, with 117,300 incidents mainly due to unpatched vulnerabilities."
Second, supply chain and third-party risks amplify exposure. The region's manufacturing ecosystem, spanning Malaysia's electronics hubs to Thailand's automotive plants, is vulnerable to attacks through interconnected vendors.
Incidents like the 2024 CrowdStrike outage, which crippled 8.5 million systems globally, reverberated in 2025 with similar breaches in Hong Kong's financial infrastructure and Singapore's airports.
Lim emphasises, "Third-party and supply chain risks are among the most significant vulnerabilities. For example, the 2024 CrowdStrike incident caused 8.5 million systems to crash, disrupting daily life worldwide."
Third, insufficient integration of IT and OT security hampers unified threat visibility. In ASEAN's manufacturing base, legacy OT systems often operate in silos, complicating coordinated responses. Hong Kong's dense urban CI and the Philippines' archipelagic setup exacerbate this, with fragmented tools leading to delayed detections.
Lim addresses this: "In ASEAN, with its large manufacturing base, integrating IT and OT security is a key priority.
"A unified data management platform allows organisations to consolidate IT and OT data, streamline operations, and achieve coordinated responses—even across legacy systems." Lim Hsin Yin
These vulnerabilities, compounded by the maturation of AI, enable attackers to automate reconnaissance and exploit gaps at scale, turning minor flaws into catastrophic breaches.
Opportunities hiding behind threats
Yet, 2026 presents opportunities for CISOs and CIOs to leverage maturing AI for robust defence. Cohesity's approach, as articulated by Lim, exemplifies this: "Cohesity is the leader in AI-powered data security. Our mission is to protect, secure and provide insights into the world's data."
By adopting AI for threat detection and recovery, organisations can transform vulnerabilities into strengths.
In data resilience, enterprises are investing heavily, recognising cyber resilience as a board-level imperative. Lim highlights, "Enterprises in Asia are investing heavily in cyber resilience. It's now a board-level topic, not just an IT concern."
Opportunities lie in implementing best practices, such as the 3-2-1-1 backup policy and immutable backups, which AI enhances through predictive analytics to foresee and mitigate risks.
Regulatory landscapes in Singapore and Malaysia, with frameworks like the ASEAN Digital Economy Framework Agreement, encourage cross-border intelligence sharing, countering APTs like Volt Typhoon. Lim observes, "Enterprises in ASEAN are collaborating through frameworks like the ASEAN Digital Economy Framework Agreement, using AI, automation, and zero-trust architectures to share intelligence and counter APTs."
Geopolitically, heightened awareness of state-backed threats fosters the development of partnerships. In Hong Kong and Thailand, CIOs can capitalise on zero-trust models: "For ICS and OT, CISOs are prioritising: Zero Trust principles, Role-based access controls and MFA, Network segmentation to prevent lateral movement, Continuous monitoring for real-time visibility, Data-centric security using unified platforms to protect and recover operational data," as per Lim.
From a business perspective, AI maturation enables cost-effective scalability. Cohesity's Five Steps to Cyber Resilience—protecting data with governance, ensuring recoverability, detecting threats via AI, preparing with drills, and reducing theft risk—offers a vendor-agnostic roadmap. Lim stresses, "This roadmap is vendor-agnostic and helps organisations assess maturity and align with global best practices."
Strengthening strategies for 2026 and beyond
Looking ahead, CISOs and CIOs must evolve strategies to reflect AI's dual role. Prioritise AI integration for defence: "Leverage technology—especially AI—to defend against AI-driven attacks," advises Lim.
Shift focus to recovery metrics like RTO and RPO, as "Many CISOs now prioritise fast data recovery over backup speed, because business continuity, customer satisfaction, and revenue depend on quick recovery."
Foster collaborations: "Cybersecurity is a team sport. No single company can cover every area—from identity and data protection to networks and threat intelligence." Partner with entities like Palo Alto and Google, while conducting regular drills in environments like Cohesity's Red Lab.
In regulatory terms, align with NIST and MITRE frameworks amid tightening laws in Singapore and the Philippines. Geopolitically, monitor APT surges and invest in supply chain validation.
Business leaders should view resilience as a competitive edge, embedding AI to glean insights from data under management, where Cohesity leads with volumes "10 to 100 times more than the other friendly competitors."
By addressing these facets, CISOs and CIOs in Southeast Asia and Hong Kong can navigate the challenges of 2026, leveraging AI's maturation as a strategic advantage for enduring cyber resilience.
Click on the PodChats player to listen to Lim elaborate on how to build resilience into critical infrastructure.
- What is Cohesity?
- How robust are enterprises' data resilience strategies in Asia, including immutable backups, air-gapped copies, and recovery drills, in ensuring operational continuity after ransomware or destructive cyberattacks? What KPIs are being used to measure its effectiveness?
- To what extent have enterprises in ASEAN integrated IT and OT security teams, tools, and processes to achieve unified threat visibility and coordinated responses across their entire critical infrastructure estates, especially considering the prevalence of legacy systems in the region?
- How are CISOs continuously reevaluating and managing third-party and supply chain risks—especially for vendors linked to OT environments—to prevent breaches similar to regional supply chain attacks, such as MOVEit, or airport data centre infiltrations?
- What zero-trust and segmentation measures have CISOs prioritised to protect industrial control systems (ICS) and OT environments against increasingly sophisticated hacktivist and state-backed threat actors targeting ASEAN and Hong Kong critical infrastructure?
- How are enterprises leveraging real-time, cross-border threat intelligence sharing within ASEAN to detect and disrupt pre-positioning and advanced persistent threats (APTs), as exemplified by campaigns like Volt Typhoon?
- As we enter 2026, what are your expectations regarding critical infrastructure defence, and what should operators of critical infrastructure be doing to enhance their defence structure?
