Singapore is currently dealing with a “highly sophisticated threat actor” targeting the country’s critical infrastructure.
During the Cyber Security Agency of Singapore’s (CSA) 10th anniversary on July 19, Coordinating Minister for National Security and Minister for Home Affairs K Shanmugam identified the group behind the advanced persistent threat (APT) as UNC3886, which he said has been associated with attacks on defence organisations, telcos, and tech companies in the United States and Asia.
“The intent of this threat actor in attacking Singapore is quite clear. It is going after high value strategic targets; vital infrastructure that deliver essential services,” he said.
“If it succeeds, it can conduct espionage and it can cause major disruption to Singapore and Singaporeans. UNC3886 poses a serious threat to us and has the potential to undermine our national security, even as we speak,” he added.
Without going into details, Shanmugam categorised the attack as “serious and ongoing.”
In a separate statement, CSA said it is leading the investigations, and is working closely with relevant agencies and partners to support affected organisations.
“We are monitoring all critical sectors and sharing threat intelligence so that they can take preventive measures. These attacks are often protracted campaigns and CSA will need to preserve operational security by not disclosing further information at this stage,” the agency said.
Google-owned Mandiant previously referred to UNC3886 as a “China-nexus espionage group.” Responding to the allegations, the Chinese Embassy in Singapore said it “opposes any groundless smears and accusations against China,” and stressed that China is a “major victim of cyberattacks.”
“The Embassy would like to reiterate that China is firmly against and cracks down all forms of cyberattacks in accordance with law. China does not encourage, support, or condone hacking activities. Keeping the cyberspace safe is a global challenge and China stands ready to work with Singapore and the rest of the world to jointly protect cybersecurity,” it further noted.
Meanwhile, Minister for Digital Development and Information Josephine Teo explained why the government is publicly disclosing about the current APT attack on Singapore.
“Singaporeans should be aware about the ongoing threats we face in cyberspace and there is never a perfect time to disclose such incidents. We always have to strike a fine balance between maintaining operational security and raising public awareness, especially while live operations are ongoing,” she said in a Facebook post.
According to one security expert, APT groups like UNC3886 are not opportunistic hackers, but are instead patient, adaptive, and adept in their tradecraft.
“Historically, the group has exploited zero day vulnerabilities in virtualisation, firewall and router platforms to gain entry, deploy custom malware and rootkits, harvest credentials, move laterally with stealth,” noted Satnam Narang, Senior Staff Research Engineer at Tenable.
At the same time, Singapore publicly naming the threat actors appears to be a deliberate and strategic move, another expert observed.
“By identifying the group, Singapore demonstrates that it has the capability to detect and track even the most advanced threat actors. This not only sends a deterrent message to potential adversaries but also reassures the public and private sectors that such threats are being actively monitored and addressed. At the same time, naming UNC3886 encourages operators of critical infrastructure to take action. The group is known for targeting systems that are often overlooked by conventional defences, and making this public helps raise urgency around securing those areas,” said Santiago Pontiroli, Lead Researcher at the Acronis Threat Research Unit.
