Why did Singapore name cyberthreat group UNC3886 and is it linked to China?
Minister K Shanmugam says Singapore is facing an advanced persistent threat from UNC3886, which is targeting its strategic targets
Singapore has made a rare move to identify the UNC3886 cyberthreat group that it says is attacking local critical infrastructure.
UNC3886 has been identified by Google-owned cybersecurity firm Mandiant as a China-linked cyber espionage group, although Beijing’s embassy in Singapore has vehemently rejected the claim.
Singapore’s Coordinating Minister for National Security K Shanmugam said during a speech at the 10th anniversary of the Cyber Security Agency last Friday that from 2021 to last year, suspected advanced persistent threats against Singapore had increased more than fourfold. These threats often carried out state objectives, the minister noted.
Shanmugam, who is also home affairs minister, said one advanced persistent threat group Singapore was facing was UNC3886, which the industry had associated with cyberattacks against critical areas such as defence, telecommunications and technology organisations in the United States and Asia.
“The intent of this threat actor in attacking Singapore is quite clear. They are going after high value, strategic targets. Vital infrastructure that delivers our essential services. If it succeeds, it can conduct espionage, and it can cause major disruption to Singapore and Singaporeans,” he said, without naming the suspected country linked to UNC3886.
Less than a day after his speech, the minister posted that lottery numbers for 3886 in Singapore had been sold out. “I said Singaporeans need to know that UNC3886 is attacking us in cyberspace. And that it’s very serious. One reaction: No 3886 has been sold out for 4D today,” he wrote on social media.
Singapore has come under cyberattack in the past, most notably in the 2018 SingHealth data breach involving the personal particulars of 1.5 million patients, including then prime minister Lee Hsien Loong. However, the actors behind the attack were not identified.
Asked by the media on Saturday if he was concerned about retaliation from China by calling out UNC3886, Shanmugam said: “As far as the Singapore government is concerned, we can say we are confident that it is this particular organisation. Who they are linked to, and how they operate, is not something I want to go into.”
In response to a question about the strategic advantage of Singapore naming the group, the minister said that the government thought Singaporeans ought to know where the attack was coming from.
Anthony Lim, director and senior research fellow at the think tank Centre for Strategic Cyberspace & International Studies, explained that UNC3886 was one of several cyberattack groups that targeted countries’ infrastructure.
While they had the ability to disrupt infrastructure, Lim said the group was likely after data and information. Their advanced techniques meant they were likely to be backed by a state, he added.
Media reports that UNC3886 was linked to China drew ire from the Chinese embassy in Singapore, as it called out local media outlets for citing “so-called information from a certain country’s cybersecurity company and claimed that this group is linked to China”.
Unhandled type: inline-plus-widget {“type”:”inline-plus-widget”}
“The Chinese government expresses its strong dissatisfaction with this and opposes any groundless smears and accusations against China. In fact, China is a major victim of cyberattacks,” said the embassy, noting that Beijing was against all forms of cyberattacks in accordance with the law.
Muhammad Faizal Abdul Rahman, a research fellow the S. Rajaratnam School of International Studies in Singapore, pointed out while Mandiant said it had technical data that connected UNC3886 to China, it was important to note the tense geopolitical environment.
“It is possible that the Western cyber companies have some technical data to connect it to Chinese actors, but at the same time they are driven by some political necessity to make this connection,” Faizal said.
Nigel Inkster, senior adviser for cybersecurity and China at the International Institute for Strategic Studies, noted that despite Mandiant’s commercial interests in attracting more clients, it had been tracking the cyberattack group since 2022 and was therefore familiar with its tactics.
“This does not diminish a threat that is very real,” warned Inkster, expressing doubt that any other state actors would target Singapore in this manner.
“From a strategic perspective it isn’t hard to imagine that given Singapore’s relations with the US, other Western powers and Taiwan, China would have an interest in both exercising deterrence and also having the ability to sabotage critical infrastructure in the event of a conflict situation over Taiwan or the South China Sea,” Inkster said.
On why Singapore would call out the group, Faizal noted that the country had been drawing attention to cybersecurity as a key pillar of its total defence education, and naming the group would make clear to the public that the threat was real and not theoretical or simulated.
“If not, I think it’s quite difficult to convince people that there is an actual threat actor out there that is trying to endanger Singapore’s interests. So I think they made a call to substantiate to the people that it is a real issue, so that everybody will be more willing to do their part as citizens,” he said.
On an international level, Faizal pointed out that naming the actor showed that Singapore had the capability to detect the group.
“In the physical world, in order to show deterrence to prevent external powers from invading us, we can showcase our fighter jets, our tanks, our submarines,” Faizal said.
“In cyberspace, the only way to do that is to demonstrate that we can identify the actors and tell them that we have the ability to disrupt their attempt to disrupt our lives.”
