Critical infrastructure in Singapore under attack by cyber espionage group: Shanmugam

The Star

19-07-2025

SINGAPORE: The authorities are dealing with an ongoing attack on Singapore's critical information infrastructure by a state-sponsored cyber espionage group, UNC3886.
Naming the nation's attacker for the first time on Friday (July 18), Coordinating Minister for National Security K. Shanmugam said that Singapore is facing serious threats from state-linked advanced persistent threat (APT) actors.
These are well-resourced attackers that use sophisticated techniques to evade detection. They lurk in networks to spy over the long term, to steal sensitive information or disrupt essential services, among other objectives.
'UNC3886 poses a serious threat to us, and has the potential to undermine our national security,' said Shanmugam at the Cyber Security Agency of Singapore's (CSA) 10th anniversary dinner at Sands Expo and Convention Centre.
'Even as we speak, UNC3886 is attacking our critical infrastructure right now.'
Shanmugam, who is also Home Affairs Minister, did not disclose UNC3886's sponsors, but experts have said that the group is linked to China.
Cyber-security firm Mandiant first detected the Chinese espionage group in 2022. UNC3886 is said to have targeted prominent strategic organisations – including those in the defence, technology and telecommunication sectors – on a global scale.
APT hackers like UNC3886 gain unauthorised access into networks by employing techniques such as custom malware and tools available on the victim's system to evade detection.
Zero-day exploits, which are unpatched vulnerabilities, are also typically used to gain entry to networks.
Shanmugam said CSA and relevant agencies are actively dealing with the attack, and are working with relevant critical information infrastructure owners.
Describing UNC3886 as highly sophisticated and persistent in victim networks, he said: 'The intent of this threat actor in attacking Singapore is quite clear. They are going after high-value, strategic targets – vital infrastructure that delivers our essential services.
'If it succeeds, it can conduct espionage, and it can cause major disruption to Singapore and Singaporeans.'
Shanmugam said the number of suspected APT attacks in Singapore has increased more than fourfold from 2021 to 2024.
Illustrating how APTs seriously threaten national security, Shanmugam said a cyber attack on Singapore's power system could disrupt its electricity supply, which could have a knock-on effect on other essential services such as healthcare or transport.
'There are also economic implications. Our banks, airport and industries would not be able to operate. Our economy can be substantially affected,' he said.
Attacks on Singapore's telco systems and payment systems can have very serious consequences too, he added.
He said attacks on the nation's systems and infrastructure will impact how it does business, with Singapore having to relook its vendors and supply chains.
Trust and confidence in Singapore as a whole can also be affected, he added.
'Businesses may shy away if they are unsure about our systems – whether the systems are clean, resilient, safe,' he said.
Shanmugam cited APT attacks in Ukraine that caused a power outage. He also cited a cyber attack on a South Korean telecommunications company in April 2025 that exposed the SIM data of nearly 27 million users and caused widespread concern in the country.
'Singapore has been attacked as well. We are a relevant country geopolitically. We are a digital and data hub that connects the world,' he said. 'People want to get into our systems, to both influence us and threaten us.'
He highlighted some attacks from APT actors in Singapore that have been made public, but where the culprits were not named due to national security reasons.
These include an incident in 2014 when the authorities detected a security breach in the Ministry of Foreign Affairs' technology systems. Steps were taken to isolate the affected devices, and the networks were strengthened following the discovery.
In what was the first sophisticated attack against universities here, NUS and NTU discovered intrusions in their networks in 2017.
No classified data or student personal data was stolen. But the attackers were believed to have targeted the two institutions to steal government and research data. The universities were involved in government-linked projects for the defence, foreign affairs and transport sectors.
Then in 2018, Singapore experienced its worst data breach involving the personal particulars of 1.5 million patients, including then Prime Minister Lee Hsien Loong.
The attacker in the SingHealth breach was said to be persistent in its efforts to penetrate the network, bypass the security measures, and illegally access and exfiltrate data.
The attacker is believed to have lurked in the healthcare group's network for at least nine months. Its mission: to access SingHealth's electronic medical records system, which is critical information infrastructure in Singapore.
The unauthorised transfer of sensitive data took place in 2018.
Most recently in 2024, about 2,700 devices in Singapore were discovered to have been infected after CSA took part in a cyber operation against a global botnet.
APT hackers behind the botnet exploited poor cyber hygiene practices to infect devices, including baby monitors and internet routers. No critical information infrastructure was affected by the attack.
Shanmugam said Singapore has been and continues to be attacked by cyber threat actors.
He cited a survey which showed that nearly 80 per cent of organisations in Singapore have experienced some form of cyber attack.
At the event on July 18, CSA chief executive David Koh noted that cyberspace is contested, and that the agency is on the front line of this dynamic domain.
'We will continue to be agile, to adapt to emerging threats, and to demonstrate our collective will and commitment to secure Singapore's cyberspace,' he added. - The Straits Times/ANN