Critical infrastructure owners required to immediately report cyberattacks

With the ongoing attack on its critical infrastructure by the advanced persistent threat (APT) group UNC3886, Singapore has announced new reporting requirements for its critical information infrastructure (CII) service providers. 

Speaking at the Cyber Security Agency of Singapore (CSA) Operational Technology Cybersecurity Expert Panel (OTCEP) forum on Tuesday, Singapore’s Minister for Digital Development and Information, Josephine Teo, said that CII owners would soon be required to immediately report any incidents suspected to be caused by APT attacks to CSA. 

Singapore has identified 11 critical sectors as CII. They are the aviation, financial sector, energy, public sector, healthcare, information and communications (infocomm) services (ICT), land transport, maritime, security and emergency services, water supply and media.  

In a LinkedIn post, the minister wrote: “Why does this matter? Timely and accurate reporting enables faster detection, response, and containment. With this information, CSA can better support affected organisations and, if needed, alert others to strengthen their defences.” 

Commenting on the seriousness of the situation, Minister Teo emphasised that APTs are often state-linked, well-resourced and determined.  

“They may conduct espionage for their state sponsor. Their other task may be to develop the capacity to disrupt the services and assets in other states,” she said. 

UNC3886 attack still ongoing 

At the event, the minister informed the audience that a team led by the CSA was still dealing with the attack by UNC3886.  

On July 18, Singapore’s Coordinating Minister for National Security K. Shanmugam, first informed the country about the attack by UNC3886. 

The fact that the attack was still ongoing, almost two weeks after it was publicly announced, indicated that this was one of the most serious APT incursions that Singapore has faced.  

To subscribe to the GovInsider bulletin, click here.  

According to Minister Teo, the number of APT attacks faced by the country has increased fourfold from 2021 to 2024. 

Spelling out a clear change in strategy, from pragmatic hints of being attacked to naming and shaming the attackers, which GovInsider had written about earlier, Minister Teo said: “Until recently, we had not said much about APT activity. Nor had we named any of the groups involved.  

“Why are we doing so now, for the first time?” 

She explained that the government wants the public to know “these threats are not imagined but real.  

“We also need everyone to understand that the potential consequences to our economy and society are very serious.  

“APTs target critical infrastructure, which provides essential services for Singapore and Singaporeans. Disruptions will not go unnoticed,” she said. 

Not just nice-to-have 

Minister Teo added that these “live” attacks reminded us that cybersecurity is not a nice-to-have.  

“It is a must, not just for the IT personnel, but for the CEO and the board.  

“In particular, the owners of CIIs must raise your vigilance, because you provide essential services that Singapore and Singaporeans depend on. 

“The threats you face are no longer simple ransomware attacks. APTs have you in their sight,” she said. 

On the need for new guidelines for CII owners, the minister emphasised that if an organisation suspected that they had been targeted “they cannot – and should not – confront the attackers on their own”. 

The requirement for CII owners to immediately report to CSA if they suspect any attack followed from last year’s amendments to the Cybersecurity Act and was intended to strengthen incident reporting requirements.

This new requirement will be implemented later this year. 

The minister observed that this requirement would support the early detection of APT activities and enable CSA to take “more timely actions, together with other government agencies,” to defend CII owners against the attacks. 

Full cooperation needed 

She added that Singapore needed the full cooperation of the CII owners,  private sector solution providers, and other cybersecurity experts.  

“Without a strong sense of shared responsibility and active contributions, our adversaries will have more vulnerabilities to exploit,” she said. 

Referring to UNC3886, the minister said that CSA has raised the National Cyber Threat Alert Level (NCTAL) due to the ongoing attack and heightened APT activity. 

“We are continuing to actively work with CII owners to enhance the security of our critical systems,” she said.  

Classified briefing 

In addition, CSA has also convened the CEOs of all CII owners for a classified briefing on the threat landscape, focusing on the threat from APTs, the minister added.  

“This is part of our efforts to share guidance on APT threats, support technical reviews, and help CIIs sharpen their readiness response.” 

At the OTCEP event, the minister shared that CSA would sign a Memorandum of Collaboration (MOC) in Operational Technology (OT) Cybersecurity with ST Engineering.  

Much like the MOU with Dragos in 2023, this new collaboration is part of CSA’s “commitment to secure access to the latest tools and expertise”, she added.  

It would also allow the engineering teams of both organisations to jointly study and develop solutions in OT cybersecurity, she added. 

Sharing a big picture of the recent events, the minister in her LinkedIn post, noted: “Singapore is not - and never will be - fully immune to cyber threats. Let’s adopt an ‘assume breach’ mindset. Stay vigilant, continue to build and fortify resilient systems, and stand united.”