SINGAPORE: Singapore is actively dealing with a “highly sophisticated threat actor” that is attacking critical infrastructure, Coordinating Minister for National Security K Shanmugam said on Friday (Jul 18).
Mr Shanmugam identified the entity as UNC3886, which Mandiant has described as a “China-nexus espionage group” that has targeted prominent strategic organisations on a global scale.
Mandiant is a cybersecurity firm owned by Google.
The threat actor poses a serious danger to Singapore and could undermine the country’s national security, said Mr Shanmugam, who is also Home Affairs Minister.
He added that it was not in Singapore’s security interests to disclose further details of the attack at this point in time.
Elaborating on “advanced persistent threats” (APTs), of which UNC3886 is one, Mr Shanmugam said these were highly sophisticated and well-resourced threat actors.
Between 2021 and 2024, suspected APT attacks on Singapore increased more than fourfold, he said.
The minister was speaking at a dinner to mark 10 years since the Cyber Security Agency of Singapore (CSA) was established in 2015.
In a separate statement, CSA said it was leading investigations into UNC3886 and supporting affected organisations with relevant agencies and partners.
“We have been investigating UNC3886’s activities since it was detected in parts of our critical infrastructure,” the agency said.
CSA said it was also monitoring all critical sectors and sharing threat intelligence so that they can take preventive measures.
The critical sectors are energy, water, banking and finance, healthcare, transport, government, information and communications, media, and security and emergency services.
“These attacks are often protracted campaigns and CSA will need to preserve operational security by not disclosing further information at this stage,” it added.
Mr Shanmugam said that UNC3886Â deploys advanced tools to compromise systems, and is able to evade detection and maintain persistent access in “victim networks”.
“Industry has associated UNC3886 with cyberattacks against critical areas including defence, telcos, technology organisations in the United States and in Asia,” he said.
“The intent of this threat actor in attacking Singapore is quite clear. It is going after high value strategic threat targets, vital infrastructure that deliver essential services.
“If it succeeds, it can conduct espionage and it can cause major disruption to Singapore and Singaporeans.”
Related:
Commentary: Singapore is going from cybersecurity to cybermaturity
Mr Shanmugam also elaborated on the threat posed by APTs.
“APTs are highly sophisticated and well-resourced actors. They typically act on state objectives. They steal sensitive information, they disrupt essential services,” he said.
“APT groups have been identified, like Sandworm, the Typhoons cluster. They attack critical infrastructure like healthcare, telcos, water, transport, power.”
The name “Typhoon” is based on Microsoft’s naming system for threat actors, which uses the label for those acting on behalf of or directed by China.
The Washington Post has reported that a group known as Salt Typhoon infiltrated major US telco carriers in a move that allowed them to intercept communications of top politicians.
The US government has reportedly linked Salt Typhoon to China’s Ministry of State Security.
Volt Typhoon, another group suspected to be run by China’s People’s Liberation Army, reportedly compromised electric and water infrastructure.
US intelligence leaders and Congress members concluded the objective was to be prepared to cause chaos in any direct conflict over Taiwan, the Washington Post reported.
A third organisation, called Silk Typhoon, is less understood…
Explain It To Me Like I’m 5: Singapore is dealing with a dangerous group of hackers called UNC3886, who are trying to attack important services like water and electricity, and the government is working hard to protect everything.
