Singapore under ongoing cyber attack from APT group

Singapore is currently defending against a “serious and ongoing” cyber attack targeting its critical infrastructure, perpetrated by a highly sophisticated group known as UNC3886.

The disclosure came from Singapore’s coordinating minister for national security and minister for home affairs, K Shanmugam, who publicly named the attacker for the first time during a speech at the Cyber Security Agency of Singapore’s (CSA) 10th anniversary dinner on 18 July 2025.

“Even as we speak, UNC3886 is attacking our critical infrastructure right now,” Shanmugam said, underscoring the live nature of the threat. He described the group as an advanced persistent threat (APT), a class of cyber actors known to be well-resourced and typically acting on state objectives to steal sensitive data and disrupt essential services like power, water, transport and telecommunications.

The minister warned that a successful breach could lead to widespread consequences. “If it succeeds, it can conduct espionage, and it can cause major disruption to Singapore and Singaporeans,” he said, adding that the attack has the potential to undermine Singapore’s national security. A compromise of the power grid, for example, could trigger cascading failures across water supplies, medical services and the economy, affecting everything from banks to airports.

While Shanmugam did not formally attribute UNC3886 to any country, threat intelligence firm Mandiant, owned by Google, has previously identified the group as a China-nexus espionage group. The Chinese Embassy in Singapore has since expressed “strong dissatisfaction” with media reports linking the group to China, calling the claims “groundless smears and accusations”.

In response to the attack, the CSA is leading a whole-of-government effort, working with the Singapore Armed Forces, the Ministry of Defence, and owners of critical information infrastructure to manage the incident.

Industry experts have weighed in on the nature of the threat actor and the significance of Singapore's public disclosure.

“By identifying the group, Singapore demonstrates that it has the capability to detect and track even the most advanced threat actors,” said Santiago Pontiroli, lead researcher at Acronis’ threat research unit. This action serves as a deterrent, reassures public and private sector partners, and creates urgency for infrastructure operators to secure their systems, he added.

UNC3886 is known for its stealth and sophistication, targeting components of IT infrastructure that often lack robust security monitoring. The “UNC” in UNC3886 stands for "Uncategorised," a term for groups with consistent methods that are not yet formally named.

Pontiroli noted that UNC3886’s primary objective appears to be long-term, strategic intelligence gathering rather than immediate disruption or financial gain. By compromising infrastructure that is typically under-monitored, UNC3886 seeks to establish deep, persistent access to high-value networks.

The group is known for exploiting zero-day vulnerabilities in technologies from Fortinet, VMware, and Juniper Networks to gain initial access and maintain persistence. Their tactics include deploying public rootkits like Reptile and Medusa to remain hidden and harvest credentials, allowing for long-term access with a low risk of detection.

Pontiroli warned that the incident underscores a critical vulnerability in modern cyber security: the systems “in between” that attackers are increasingly targeting, such as critical components like hypervisors, routers, and operational technology (OT), which often fall outside the scope of traditional monitoring. Addressing this will require a unified cyber security strategy that spans both IT and OT environments.

As Singapore continues to fend off the threat from UNC3886, Shanmugam has indicated that the authorities will update the Cybersecurity Act to grant more powers to deal with cyber threats. Beyond critical infrastructure owners, CSA will continue to help companies improve their cyber security posture, and on the international stage, Singapore will continue to do its part to preserve a secure and rules-based cyber space, he added.