SINGAPORE: Singapore is actively dealing with a "highly sophisticated threat actor" that is attacking critical infrastructure, Coordinating Minister for National Security K Shanmugam said on Friday (Jul 18).

Mandiant, a cybersecurity firm owned by Google, describes UNC3886 as a "China-nexus espionage group" that has targeted prominent strategic organisations on a global scale.

The threat actor poses a serious danger to Singapore and could undermine the country's national security, said Mr Shanmugam, who is also Home Affairs Minister.

He added that it was not in Singapore's security interests to disclose further details of the attack at this point in time.

Elaborating on "advanced persistent threats" (APTs), of which UNC3886 is one, Mr Shanmugam said these were highly sophisticated and well-resourced threat actors.

Between 2021 and 2024, suspected APT attacks on Singapore increased more than fourfold, he said.

The minister was speaking at a dinner to mark 10 years since the Cyber Security Agency of Singapore (CSA) was established in 2015.

In a separate statement, CSA said it was leading investigations into UNC3886 and supporting affected organisations with relevant agencies and partners.

"We have been investigating UNC3886's activities since it was detected in parts of our critical infrastructure," the agency said.

CSA said it was also monitoring all critical sectors and sharing threat intelligence so that they can take preventive measures.

The critical sectors are energy, water, banking and finance, healthcare, transport, government, information and communications, media, and security and emergency services.

"These attacks are often protracted campaigns and CSA will need to preserve operational security by not disclosing further information at this stage," it added.

Mr Shanmugam said that UNC3886 deploys advanced tools to compromise systems, and is able to evade detection and maintain persistent access in "victim networks".

"Industry has associated UNC3886 with cyberattacks against critical areas including defence, telcos, technology organisations in the United States and in Asia," he said.

"The intent of this threat actor in attacking Singapore is quite clear. It is going after high value strategic threat targets, vital infrastructure that deliver essential services.

"If it succeeds, it can conduct espionage and it can cause major disruption to Singapore and Singaporeans."

Mr Shanmugam also elaborated on the threat posed by APTs.

"APTs are highly sophisticated and well-resourced actors. They typically act on state objectives. They steal sensitive information, they disrupt essential services," he said.

"APT groups have been identified, like Sandworm, the Typhoons cluster. They attack critical infrastructure like healthcare, telcos, water, transport, power."

The name "Typhoon" is based on Microsoft's naming system for threat actors, which uses the label for those acting on behalf of or directed by China.

The Washington Post has reported that a group known as Salt Typhoon infiltrated major US telco carriers in a move that allowed them to intercept communications of top politicians.

The US government has reportedly linked Salt Typhoon to China's Ministry of State Security.

Volt Typhoon, another group suspected to be run by China's People's Liberation Army, reportedly compromised electric and water infrastructure.

US intelligence leaders and Congress members concluded the objective was to be prepared to cause chaos in any direct conflict over Taiwan, the Washington Post reported.

A third organisation, called Silk Typhoon, is less understood but appears to target trade secrets as well as strategic and diplomatic secrets.

The Washington Post reported that government ministries in Spain and Finland, and media companies in Japan, South Korea and the US are among the victims.

MORE DANGEROUS WORLD

Mr Shanmugam said that the world faced more dangers in cyberspace now than it did 10 years ago.

"It is no longer enough only to guard our most critical systems. Potential targets have increased. They include external vendors, suppliers, service providers along the entire supply chain. Even residential devices like home routers, IP cameras are now being exploited by cyber attackers," he said.

He noted that physical conflicts have also spilled over into the digital world, with actors launching cyberattacks to bring down critical infrastructure.

"Singapore has been attacked as well. We are a relevant country geopolitically. We are a digital and data hub that connects the world. And people want to get into our systems, to both influence us and threaten us," he said.

In Singapore, nearly 80 per cent of organisations have experienced a cyberattack, most committed by cyber criminals.

"'Hacktivists' and foreign actors have also used cyber to promote their agendas. Both political and ideological agendas," said Mr Shanmugam.

He noted that in October 2024, the government blocked 10 websites set up by foreign actors that were masquerading as Singapore websites.

These had the potential to be used for hostile information campaigns against Singapore, he said.

He also recalled last year's cyberattack involving over 2,700 devices in Singapore, including baby monitors and routers.

These devices were part of a global "botnet" comprising hundreds of everyday devices that could have been used to disrupt critical services.

Mr Shanmugam illlustrated how a cyberattack could destabilise national security.

"Say there is a cyberattack on our power systems. They can disrupt our electricity supply. And the knock-on implications: other essential services, like water supply, transport, medical services – in fact, everything that depends on power, everything will be affected.

"There are economic implications. Banks, airport, industries would not be able to operate. Our economy can be substantially impacted."

Attacks on telco systems and payment systems can also have serious consequences and impact how Singapore does business, he added.

Singapore will have to reexamine its vendors and supply chains. "And if we decide that we cannot trust them, then we may choose not to use them," he said.



"At the same time, trust and confidence in Singapore as a whole can also be affected. Businesses may shy away if they are unsure about our systems, and whether the systems are clean, resilient, safe."

Mr Shanmugam said the government must be "realistic" about what it is up against.

"We are up against very sophisticated actors, some backed by countries with vast resources." These resources in manpower and technology are almost unlimited and can be deployed at a "formidable scale", he said.

"Even countries at the frontier of technology have not been able to prevent APT attacks on their systems.



"So realistically, we will have to accept that some attacks, at least, will get through," he said.

In the face of such threats, the government will have to continue to strengthen Singapore's cyberdefences and focus on preventing and containing threats, he said.