By naming hacking group UNC 3886, Singapore sends a strong message

It has been more than a week since Singapore’s Coordinating Minister for National Security, K. Shanmugam, dropped the bombshell that the country’s critical infrastructure (CII) was being attacked by a highly sophisticated state-backed advanced persistent threat (APT) group classified as UNC 3886.  

Singapore is no stranger to cyberattacks, but what was special was the platform used by the Minister on July 18 to disclose the attack: the 10th anniversary dinner celebrating the founding of the Cyber Security Agency of Singapore (CSA).   

Talking to an audience comprising a major portion of the first respondents to the attack, he said: “UNC3886 poses a serious threat to us and has the potential to undermine our national security. Even as we speak, UNC 3886 is attacking our critical infrastructure right now.” 

The significance of this disclosure was not lost on the cybersecurity fraternity around the world. It was a deliberate and well-thought-out strategy to let the Singapore public know of the danger that this group posed.  

Since the Minister’s disclosure, there has been scant information about the attack, save for a statement by Singapore’s Minister for Defence, Chan Chun Sing, that the Singapore Armed Forces (SAF) and Ministry of Defence (MINDEF) have been responding to the attack. 

These units were also working with the CSA in a whole-of-government effort to manage the incident. 

The reported affiliation of the hacker group makes the disclosure even more significant. 

In a blog post in 2024, Google-owned cybersecurity company Mandiant said UNC3886 was a suspected China-nexus cyber espionage actor that has targeted prominent strategic organisations on a global scale.  

According to Mandiant, the primary target for UNC 3886 has been routers and security devices, which were first compromised and then leveraged to access the broader network of the organisation. 

Globally, the group's focus extended to defence, technology, and telecommunications sectors in both the US and Asia. Major victims of UNC 3886 attacks were in North America, Southeast Asia and the Oceania region, according to Mandiant. 

Immediate speculation about China’s link of the APT group in the media, due to the Mandiant report, led to the Chinese Embassy in Singapore refuting claims that the group was linked to the country. 

Sending a signal 

Cybersecurity analysts were of the opinion that by naming UNC 3886, Singapore may be sending a signal both to this group as well as other APT groups that the country’s strategic cyber defence was robust, with the ability to detect and track even the most advanced threat actors.  

The other aspect that attracted notice is the public expression of anger, something not usually associated with the cool demeanour of Singapore’s diplomacy.

The Minister did not mince words.  

“The intent of this threat actor in attacking Singapore is quite clear. They are going after high-value strategic targets. Vital infrastructure that delivers our essential services. If it succeeds, it can conduct espionage, and it can cause major disruption to Singapore and Singaporeans,” he said during his speech at the CSA dinner. 

To subscribe to the GovInsider bulletin, click here.  

A successful breach of Singapore’s CII could potentially cause catastrophic harm, given its high-level automation and interconnectivity.  

In 2015-2016, for example, an attack on Ukraine’s power grid caused widespread physical disruption, leading to blackouts for thousands of citizens. 

In his speech, Minister Shanmugam was blunt: “If you look at the example of Ukraine, cyberattacks were launched and caused a power outage. And the cyberattacks coincided with massive missile strikes.”  

Many cybersecurity policy experts feel that the public attribution to cyber attacks may indicate a strategic shift for the country, making it more aligned with a global trend of naming and exposing sophisticated threat actors, particularly those suspected of being state-backed. 

Plausible deniability has been the biggest weapon in the hands of cyber attackers.  

To combat this, Singapore has been working with like-minded countries to develop a cyberspace with clear rules and guidelines that penalise such attacks in future.  

Not the first attack by APT groups 

Over the past 10 years, there have been several major cyber-attacks on sectors which are within the CII ambit in Singapore.  

The Republic identifies 11 critical sectors as CII. They are aviation, financial sector, energy, public sector, healthcare, information and communications (infocomm) services, land transport, maritime, security and emergency services, water supply and media. 

In 2018, SingHealth experienced a major data breach which involved the exfiltration of personal particulars of 1.5 million patients, including the records of the then Prime Minister and the current Senior Minister, Lee Hsien Loong.  

This attack was attributed to a state-linked APT group, which was never named.

In 2017, the National University of Singapore (NUS) and Nanyang Technological University (NTU) systems were hacked, again by a suspected APT group, looking to steal government and research data. 

Also in 2017, personal data belonging to 850 national servicemen and employees were stolen from MINDEF's I-net system, which provides internet access within military camps.  

The stolen data included NRIC numbers, telephone numbers, and dates of birth, which provides internet access within military camps. 

According to the Minister from 2021-2024, the number of APT attacks on Singapore has increased fourfold. 

Apart from these, there have been numerous other attacks on private companies and individuals over the past 10 years. 

Will always be a prime target 

The evolving nature of cyber threats due to the use of artificial intelligence (AI) and soon-to-come quantum computing means that the cybersecurity challenge will remain dynamic, dangerous, and enduring.  

As a strategically global digital and data hub, with a highly connected economy and digital infrastructure, Singapore will always be a prime target for sophisticated cyber threats. 

Along with hard physical capability to thwart increasingly sophisticated cyber–attacks, the country has been working on a broader strategy that combines both policy and diplomacy.  

In recent years, Singapore has gone out of its way in forging alliances with like-minded countries both in the region as well as abroad to combat crime. 

Along with developing resilient digital defences, policy and diplomatic outreach must remain dynamic.

Minister Shanmugam’s statement could be a signal of a policy change.