OT-ISAC warned that Singapore’s critical infrastructure is under active cyberattack by UNC3886, a state-sponsored threat group tied to Chinese espionage operations. The group is exploiting zero-day vulnerabilities in Fortinet, VMware, and Juniper systems to gain stealthy, long-term access. Its targets span energy, water, telecommunications, finance, and government services, with tactics that include custom malware and advanced persistence techniques.
In an alert this week, OT-ISAC provided critical context on UNC3886, detailing its tactics, potential impact, and clear steps for defense. Given the group’s strategic intent and technical sophistication, swift, coordinated action is essential to prevent cascading operational disruptions. First identified by Mandiant in 2022, UNC3886 is a China-linked APT known for targeting defense, telecommunications, finance, and OT/IT systems across the U.S. and Asia.
“UNC3886 has targeted energy, water, healthcare, transport, telecommunications, finance, media, emergency services, and government infrastructure across US and Asia,” OT-ISAC said. “Impact scenarios include power outages cascading into water disruption, healthcare interruption, financial and airport system degradation, broader economic harm and reputational damage.”
UNC3886 represents a sophisticated, state‑level espionage threat actively probing Singapore’s critical infrastructures. Hardening individual systems is necessary but sector‑wide situational awareness, shared detection capabilities, and coordinated incident readiness will be decisive in mitigating cascading effects and maintaining national resilience.
The agency noted that UNC3886 has been active since at least 2021, exploiting zero-day vulnerabilities in FortiOS, VMware, and ESXi hypervisors. Mandiant confirmed the group as a long-standing espionage threat by 2022, attributing it to China, though the Chinese embassy disputes this.
The group uses a range of advanced tactics. These include exploiting zero-days in Fortinet, VMware, and Juniper devices, such as CVE-2023-34048 and CVE-2022-41328, and deploying custom malware families like MOPSLED, RIFLESPINE, REPTILE, TINYSHELL variants, VIRTUALSHINE, VIRTUALPIE, CASTLETAP, and LOOKOVER.
UNC3886 favors living-off-the-land techniques, including SSH credential harvesting and command-and-control channels hidden in platforms like Google Drive and GitHub. It is known for establishing deep persistence across network and virtualization layers, often disabling logging and tampering with forensic artifacts to evade detection.
OT-ISAC urged Singapore’s critical infrastructure operators to take immediate action by hardening systems and improving detection capabilities. Organizations were advised to apply the latest security patches to Fortinet, VMware, and Juniper devices, and to remove or isolate any outdated or unsupported hardware.
Operators should enhance monitoring by running integrity checks on network devices, such as Juniper’s JMRT scans, and closely monitor for log tampering. Detection capabilities should be updated to identify malware families linked to UNC3886, including MOPSLED, RIFLESPINE, REPTILE, and LOOKOVER, with alerts mapped to the MITRE ATT&CK framework. Unusual command-and-control traffic to platforms like GitHub or Google Drive should also be flagged.
Credential hygiene remains critical. OT-ISAC recommended rotating SSH keys and admin credentials, monitoring TACACS+ authentication logs, and enforcing strong identity verification and multi-factor authentication for administrative access. Forensic readiness and incident response were also emphasized. Organizations should keep offline backups of firmware and device configurations, perform rootkit and integrity scans regularly, and ensure incident response playbooks account for virtualization platforms and network hardware compromise.
To strengthen forward-looking threat detection, OT-ISAC recommended integrating updated indicators of compromise and tactics from UNC3886 into shared intelligence feeds. Regular red-teaming exercises should be conducted around OT systems, with particular focus on edge routers and virtualization layers. The strategy calls for multi-layered resilience that includes network, host, and application visibility, alongside robust anomaly detection.
For broader sector-wide resilience, the alert emphasized the importance of collective threat transparency, balancing operational security with rapid alert sharing among members. Detection capabilities should be community-driven, with organizations collaborating on tuned detection rules and anomaly alerts.
The guidance also urged cross-sector cyber exercises that simulate supply chain disruptions and multi-domain APT scenarios. Coordination with vendors and suppliers, including Fortinet, VMware, Juniper, and other OT solution providers, is essential to align patch timelines and establish joint response protocols. Lastly, governance readiness must include multi-agency tabletop exercises. OT-ISAC advised engaging national agencies such as CSA and SAF/MINDEF to formalize escalation paths and ensure effective crisis recovery operations.
In March, Mandiant researchers identified that threat actors have been deploying custom backdoors on Juniper Networks’ Junos OS routers since mid-2024. These backdoors have been attributed to the China-linked espionage group UNC3886, which primarily targets defense, technology, and telecommunications organizations in the U.S. and Asia. Mandiant discovered several backdoors based on TINYSHELL operating on these routers, each with unique custom capabilities.
