SINGAPORE – Singapore’s critical information infrastructure has come under attack from cyber espionage group UNC3886.
A state-linked advanced persistent threat (APT) actor, it poses a menace to national security in many countries, including Singapore.
Naming the nation’s attacker
for the first time on July 18, Coordinating Minister for National Security K. Shanmugam said: “UNC3886 poses a serious threat to us and has the potential to undermine our national security.
“Even as we speak, UNC3886 is attacking our critical infrastructure right now.”
What is UNC3886? Are essential services in Singapore safe from the attack? The Straits Times sheds light on the attack and APTs.
First detected in 2022 by cyber-security firm Mandiant, UNC3886 is a China-linked cyber espionage group.
UNC3886’s attempts are known to be persistent, with the intention of intelligence gathering and long-term spying.
The “UNC” label stands for “uncategorised” or “unclassified”, as industry analysts have not formally classified it. “But that does not mean that it is any less of a threat,” said Mr Shanmugam, who is also Minister for Home Affairs.
Mr Vivek Chudgar, managing director of Mandiant Consulting in Asia-Pacific and Japan, described UNC3886 as highly adept.
He said UNC3886 operates in a sophisticated, cautious and evasive manner and largely focuses on defence, technology and telecommunications organisations in the US and Asia.
The Chinese espionage group is known to target network devices, virtualisation systems and critical information infrastructure with zero-day exploits.
Zero-day exploits are attacks that take advantage of security vulnerabilities in software that vendors have yet to discover and develop patches for.
Unpatched vulnerabilities in the software of network devices, hypervisors and virtual machines are typically harder to monitor, Mr Chudgar said.
UNC3886 also employs custom malware and tools already available on the victim’s system to evade detection.
Like other APT attackers, UNC3886 is persistent – even if detected and removed from the network, it will attempt to re-enter.
Mr Chudgar said UNC3886 has attacked organisations in the US, Europe and parts of Asia. Specifically, it has targeted sectors such as government, telecoms, technology, aerospace, defence, energy and utility.
“UNC3886 poses a severe threat to national security for the organisations and the countries targeted,” he said.
The group has exploited vulnerabilities in routers from Juniper Networks, network security devices from Fortinet and virtual machines from VMware.
On July 18, the Cyber Security Agency (CSA) said UNC3886’s activities have been detected in parts of Singapore’s critical information infrastructure that power essential services.
“We have been investigating UNC3886’s activities,” said CSA, which is leading the investigations. The agency added that it is monitoring all critical services sectors and sharing threat intelligence, but did not name the affected sectors.
Singapore’s 11 critical services sectors are: aviation, healthcare, land transport, maritime, media, security and emergency services, water, banking and finance, energy, infocommunications and government.
The agency is also working closely with other government bodies and partners to support the unnamed affected organisations.
CSA also did not say how long UNC3886 has been in the affected networks, saying instead: “These attacks are often protracted campaigns, and CSA will need to preserve operational security by not disclosing further information at this stage.”
In 2014, the authorities detected a security breach in the Ministry of Foreign Affairs’ technology systems. Steps were taken to isolate the affected devices and strengthen the networks.
In what was the first sophisticated attack against universities here, the National University of Singapore and Nanyang Technological University discovered intrusions in their networks in 2017.
No classified data or student personal data was stolen, but the attackers were believed to have targeted the two institutions to steal government and research data. The universities were involved in government-linked projects for the defence, foreign affairs and transport sectors.
Then in 2018, Singapore experienced its worst data breach
involving the personal particulars of 1.5 million patients
, including then Prime Minister Lee Hsien Loong.
The attacker in the SingHealth breach was said to have been persistent in its efforts to penetrate the network, bypass the security measures and illegally access and exfiltrate data.
The attacker is believed to have lurked in the healthcare group’s network for at least nine months. Its mission: to access SingHealth’s electronic medical records system – critical information infrastructure in Singapore.
Most recently in 2024, about 2,700 devices in Singapore were discovered to have been infected after CSA took part in a cyber operation against a global botnet.
APT hackers behind the botnet exploited poor cyber hygiene practices to infect devices, including baby monitors and internet routers. No critical information infrastructure was affected by the attack.
