SINGAPORE: The recent disclosure that a cyber threat group, identified as UNC3886, was attacking critical infrastructure in Singapore took many by surprise.
The announcement was made by Coordinating Minister for National Security and Minister for Home Affairs K Shanmugam during a speech at the 10th anniversary of the country’s Cyber Security Agency (CSA) last Friday (Jul 18). He warned that Singapore was actively dealing with a "highly sophisticated threat actor" capable of conducting espionage and “major disruption to Singapore and Singaporeans”.
UNC3886 has been described by Google-owned cybersecurity company Mandiant as a group with a China nexus. Understandably, the Chinese embassy in Singapore was dissatisfied that UNC3886 was described as being linked to China.
One question that may intrigue readers more was why the minister did not link UNC3886 to a particular country. Was this a perfunctory attempt to publicly attribute a cyber threat, or was it a policy decision by Singapore based on careful strategic calculations?
In his announcement, it was apparent that Mr Shanmugam deliberately focused on only naming the threat group, rather than directly pointing to any country. When he was asked the following day about UNC3886's alleged links to China, he said this was "speculative".
"What Mandiant does is what Mandiant does ... Who they (UNC3886) are linked to and how they operate is not something I want to go into," he said.
Past cases suggest that when it comes to cyberattacks, Singapore prefers technical attribution over political attribution. The former is based on forensic evidence of tactics, while the latter is based on intelligence to name and shame a country.
Without direct state attribution, it is often the media and analysts who examine potential links and broader implications as part of their reporting and analysis.
For example, when Singapore telecommunications company Singtel disclosed a malware attack in November 2024, it was a Bloomberg report that attributed it to Volt Typhoon, a group allegedly sponsored by China.
Similarly, when Singapore blocked roughly 100 social media accounts for circulating disinformation in July 2024, including those linked to a right-wing group created by former Donald Trump adviser Steve Bannon, it made no mention of the United States.
During peacetime, technical attribution offers a more pragmatic way to deter cyber threats. Cyberspace is a complex environment, and non-state threat groups, which may or may not act on the behest of a state, are the dominant actors there. This method allows authorities to expose threat groups without directly shaming the country from which they may be operating.
Arguably, not shaming the country where the threat group operates from could risk emboldening future attacks and invite scrutiny from security partners who expect transparency. More importantly, it may make public education about the seriousness of cyber threats more challenging. The public may not understand the full context, for example, of the motivation or geopolitical implications of an attack.
While Singapore avoids attributing cyber threats to specific states, naming and shaming is the preferred approach for many Western countries and some of their Asian allies, particularly those that view China as a preeminent threat.
For countries not directly involved in adversarial relations or those that pursue a foreign policy of non-alignment, it may be more prudent to deter cyber threats without exacerbating geopolitical animosity. The cost of escalation may be too high a risk to bear. Moreover, it remains debatable whether naming and shaming helps to curb cyber threats in a meaningful way.
In Singapore’s context, there could also be other plausible strategic considerations.
First, Singapore is a cosmopolitan country made up of locally born citizens, naturalised citizens and foreigners. Social cohesion is the glue that keeps its people together and maintains communal harmony. Publicly identifying another country as a threat carries the risk of fuelling racism and xenophobia, including Sinophobia.
For example, in 2021, the fear that the Singapore-India Comprehensive Economic Cooperation Agreement (CECA) posed a threat to the livelihood of citizens raised the ugly head of xenophobia.
Second, there is an observable trend in which Western cybersecurity companies often attribute cyber threat groups to China following incidents involving Western digital networks. Even if there is forensic evidence to link these groups to China, these companies often hold contracts with the US government, creating both commercial and political incentives to focus blame on China.
If Singapore is seen as endorsing these companies' attributions, it risks making the impression that Singapore has shifted its foreign policy of non-alignment and is siding with the US in the strategic rivalry with China, which involves cyber contestation.
Third, while Singapore and China may have differing views on certain issues, both countries at the political level are keen to deepen their bilateral relations. During an official visit to Beijing in September 2024, Singapore Foreign Affairs Minister Vivian Balakrishnan described Singapore-China relations as a “very bright spot” in a more volatile and less predictable world. Such a world is even less black and white, and similar to dealing with the US tariff threat, countries must find a balance between resisting compulsion and promoting cooperation.
It is prudent not to let one issue define the overall state of bilateral relations.
Furthermore, Singapore is a member of the Association of Southeast Asian Nations (ASEAN), and China is a dialogue partner of ASEAN. One essential area where ASEAN and China are cooperating is the signing of the ASEAN-China Free Trade Area (ACFTA) 3.0 in October 2025, aimed at building economic resilience. ASEAN countries, therefore, need to consider both national and regional interests.
In the same vein, the overall state of bilateral relations - as well as factors such as motivation, attack impact and international law - would determine how Singapore responds to cyber threats originating from other countries.
The world is witnessing a growing militarisation of cyberspace where countries in the West, Middle East and Asia are developing military cyber capabilities. Some may be more willing to conduct offensive cyber operations if their interests with Singapore diverge.
However, these considerations do not necessarily preclude non-aligned countries like Singapore from naming and shaming any country as a cyber threat actor should the situation justify it.
A careful examination of what constitutes Singapore’s most vital national interests may provide insight into how and when such a shift in posture might occur.
Plausible scenarios could include external military threats operating in both physical and cyberspace domains, as well as a cyberattack that is not for espionage purposes but creates a disruptive impact that endangers the lives of people in Singapore.
For example, imagine a scenario where Singapore faces military coercion and concurrently a cyberattack by a state-linked threat actor that shuts down the digital infrastructure and electrical systems of hospitals nationwide, resulting in deaths.
These are extreme scenarios that, hopefully, Singapore will never have to deal with but must prepare for in the unlikely event that they occur.
Muhammad Faizal Abdul Rahman is a Research Fellow (Regional Security Architecture Programme) with the Institute of Defence and Strategic Studies (IDSS) at S Rajaratnam School of International Studies (RSIS). The views expressed in this commentary are those of the author’s and do not represent the views of any organisation.
Continue reading...
The announcement was made by Coordinating Minister for National Security and Minister for Home Affairs K Shanmugam during a speech at the 10th anniversary of the country’s Cyber Security Agency (CSA) last Friday (Jul 18). He warned that Singapore was actively dealing with a "highly sophisticated threat actor" capable of conducting espionage and “major disruption to Singapore and Singaporeans”.
UNC3886 has been described by Google-owned cybersecurity company Mandiant as a group with a China nexus. Understandably, the Chinese embassy in Singapore was dissatisfied that UNC3886 was described as being linked to China.
One question that may intrigue readers more was why the minister did not link UNC3886 to a particular country. Was this a perfunctory attempt to publicly attribute a cyber threat, or was it a policy decision by Singapore based on careful strategic calculations?
In his announcement, it was apparent that Mr Shanmugam deliberately focused on only naming the threat group, rather than directly pointing to any country. When he was asked the following day about UNC3886's alleged links to China, he said this was "speculative".
"What Mandiant does is what Mandiant does ... Who they (UNC3886) are linked to and how they operate is not something I want to go into," he said.
TECHNICAL VS POLITICAL ATTRIBUTION
Past cases suggest that when it comes to cyberattacks, Singapore prefers technical attribution over political attribution. The former is based on forensic evidence of tactics, while the latter is based on intelligence to name and shame a country.
Without direct state attribution, it is often the media and analysts who examine potential links and broader implications as part of their reporting and analysis.
For example, when Singapore telecommunications company Singtel disclosed a malware attack in November 2024, it was a Bloomberg report that attributed it to Volt Typhoon, a group allegedly sponsored by China.
Similarly, when Singapore blocked roughly 100 social media accounts for circulating disinformation in July 2024, including those linked to a right-wing group created by former Donald Trump adviser Steve Bannon, it made no mention of the United States.
During peacetime, technical attribution offers a more pragmatic way to deter cyber threats. Cyberspace is a complex environment, and non-state threat groups, which may or may not act on the behest of a state, are the dominant actors there. This method allows authorities to expose threat groups without directly shaming the country from which they may be operating.
Arguably, not shaming the country where the threat group operates from could risk emboldening future attacks and invite scrutiny from security partners who expect transparency. More importantly, it may make public education about the seriousness of cyber threats more challenging. The public may not understand the full context, for example, of the motivation or geopolitical implications of an attack.
Related:
WHY NAMING WITHOUT SHAMING
While Singapore avoids attributing cyber threats to specific states, naming and shaming is the preferred approach for many Western countries and some of their Asian allies, particularly those that view China as a preeminent threat.
For countries not directly involved in adversarial relations or those that pursue a foreign policy of non-alignment, it may be more prudent to deter cyber threats without exacerbating geopolitical animosity. The cost of escalation may be too high a risk to bear. Moreover, it remains debatable whether naming and shaming helps to curb cyber threats in a meaningful way.
In Singapore’s context, there could also be other plausible strategic considerations.
First, Singapore is a cosmopolitan country made up of locally born citizens, naturalised citizens and foreigners. Social cohesion is the glue that keeps its people together and maintains communal harmony. Publicly identifying another country as a threat carries the risk of fuelling racism and xenophobia, including Sinophobia.
For example, in 2021, the fear that the Singapore-India Comprehensive Economic Cooperation Agreement (CECA) posed a threat to the livelihood of citizens raised the ugly head of xenophobia.
Second, there is an observable trend in which Western cybersecurity companies often attribute cyber threat groups to China following incidents involving Western digital networks. Even if there is forensic evidence to link these groups to China, these companies often hold contracts with the US government, creating both commercial and political incentives to focus blame on China.
If Singapore is seen as endorsing these companies' attributions, it risks making the impression that Singapore has shifted its foreign policy of non-alignment and is siding with the US in the strategic rivalry with China, which involves cyber contestation.
Related:
Third, while Singapore and China may have differing views on certain issues, both countries at the political level are keen to deepen their bilateral relations. During an official visit to Beijing in September 2024, Singapore Foreign Affairs Minister Vivian Balakrishnan described Singapore-China relations as a “very bright spot” in a more volatile and less predictable world. Such a world is even less black and white, and similar to dealing with the US tariff threat, countries must find a balance between resisting compulsion and promoting cooperation.
It is prudent not to let one issue define the overall state of bilateral relations.
Furthermore, Singapore is a member of the Association of Southeast Asian Nations (ASEAN), and China is a dialogue partner of ASEAN. One essential area where ASEAN and China are cooperating is the signing of the ASEAN-China Free Trade Area (ACFTA) 3.0 in October 2025, aimed at building economic resilience. ASEAN countries, therefore, need to consider both national and regional interests.
In the same vein, the overall state of bilateral relations - as well as factors such as motivation, attack impact and international law - would determine how Singapore responds to cyber threats originating from other countries.
The world is witnessing a growing militarisation of cyberspace where countries in the West, Middle East and Asia are developing military cyber capabilities. Some may be more willing to conduct offensive cyber operations if their interests with Singapore diverge.
Related:
WHEN NAMING MIGHT BE NECESSARY
However, these considerations do not necessarily preclude non-aligned countries like Singapore from naming and shaming any country as a cyber threat actor should the situation justify it.
A careful examination of what constitutes Singapore’s most vital national interests may provide insight into how and when such a shift in posture might occur.
Plausible scenarios could include external military threats operating in both physical and cyberspace domains, as well as a cyberattack that is not for espionage purposes but creates a disruptive impact that endangers the lives of people in Singapore.
For example, imagine a scenario where Singapore faces military coercion and concurrently a cyberattack by a state-linked threat actor that shuts down the digital infrastructure and electrical systems of hospitals nationwide, resulting in deaths.
These are extreme scenarios that, hopefully, Singapore will never have to deal with but must prepare for in the unlikely event that they occur.
Muhammad Faizal Abdul Rahman is a Research Fellow (Regional Security Architecture Programme) with the Institute of Defence and Strategic Studies (IDSS) at S Rajaratnam School of International Studies (RSIS). The views expressed in this commentary are those of the author’s and do not represent the views of any organisation.
Continue reading...