SINGAPORE: While naming a specific country linked to cyber threat group UNC3886 is not in Singapore’s interest at this point in time, the attack was still serious enough for the government to let the public know about the group, said Coordinating Minister for National Security and Minister for Home Affairs K Shanmugam on Friday (Aug 1).
Speaking to reporters on the side of the Cyber Security Agency of Singapore’s (CSA) Exercise Cyber Star, the national cybersecurity crisis management exercise, Mr Shanmugam said that when it comes to naming any country responsible for a cyber attack, “we always think about it very carefully”.
Responding to a question from CNA on reports tying the group to China, Mr Shanmugam said: “Media coverage (and) industry experts all attribute UNC3886 to some country … Government does not comment on this.
“We release information that we assess is in the public interest. Naming a specific country is not in our interest at this point in time.”
UNC3886 has been described by Google-owned cybersecurity firm Mandiant as a "China-nexus espionage group" that has targeted prominent strategic organisations on a global scale.
Mr Shanmugam had announced on Jul 18 that Singapore is actively dealing with a "highly sophisticated threat actor" that is attacking critical infrastructure, identifying the entity as UNC3886 without disclosing if it was a state-linked actor.
He said the threat actor poses a serious danger to Singapore and could undermine the country's national security, and added that it was not in Singapore's security interests to disclose further details of the attack then.
When asked the following day about UNC3886's alleged links to China and possible retaliation for naming them, Mr Shanmugam, who is also Home Affairs Minister, said this was "speculative".
"Who they are linked to and how they operate is not something I want to go into," he said.
Responding to media reports in a Jul 19 Facebook post, the Chinese embassy in Singapore expressed its "strong dissatisfaction" at the claims linking the country to UNC3886, stating that they were "groundless smears and accusations against China".
“In fact, China is a major victim of cyberattacks," it wrote.
"The embassy would like to reiterate that China is firmly against and cracks down (on) all forms of cyberattacks in accordance with law. China does not encourage, support or condone hacking activities."
On Friday, Mr Shanmugam also gave his reasons for disclosing the identity of threat actors like UNC3886.
“We look at the facts of each case (and) the degree of confidence we have before we can name. And when we decide to name the threat actor, we look at whether it is in Singapore's best interest,” said Mr Shanmugam, who is also the home affairs minister.
In this case, the threat, attack and compromise to Singapore’s infrastructure was “serious enough” and the government was confident enough to name UNC3886 as the perpetrators, he said.
“Here, we said this is serious. They have gotten in. They are compromising a very serious critical infrastructure. Singaporeans ought to know about it, and awareness has got to increase. And because of the seriousness, it is in the public interest for us to disclose,” said Mr Shanmugam.
Mr Shanmugam was accompanied at Friday’s exercise by Minister for Digital Development and Information Josephine Teo, who is also Minister-in-Charge of Cybersecurity.
Held at the Singapore Institute of Technology in Punggol, the exercise saw teams from critical sector organisations tackle cybersecurity challenges based on key threats, such as advanced persistent threats (APTs) and attacks on critical systems.
APTs are a type of prolonged cyberattack typically carried out by well-resourced threat actors.
Coordinating Minister for National Security and Minister for Home Affairs K Shanmugam and Minister for Digital Development and Information Josephine Teo watching a live technical demonstration of an exhibit at Exercise Cyber Star at Singapore Institute of Technology on Aug 1, 2025. (Photo: CNA/Jeremy Long)
“There’re close to about 500 participants today. They come together, put a face to a name, exercise real life scenarios, things which have happened elsewhere,” said Mr Shanmugam, emphasising that such incidents are “not theoretical”.
During the event, Mr Shanmugam was shown a demonstration of an attack on a port, where crane operations were paralysed and energy supply was cut off.
He was also briefed on the response plan for when the public transport system gets attacked, with millions of people commuting and the fare systems are targeted.
“You have to exercise, you have to bring people together. Government has got a high level of knowledge.”
The private sector, meanwhile, is focused on getting things done for their business, he added.
“Now, they need their knowledge and abilities to also increase. So we've got to work together,” said Mr Shanmugam.
Mrs Teo had announced earlier this week that owners of Singapore's critical information infrastructure will, from later this year, be required to report to CSA any incidents suspected to be caused by APTs.
Mr David Koh, chief executive of CSA, said: “With cyberattacks increasing in frequency and sophistication, it is important for the government to work closely with Singapore’s critical sectors and companies to enhance crisis response capabilities and ensure the continual delivery of essential services.
“Malicious actors have targeted Singapore and will continue to do so. Hence, we need to be prepared to respond to such threats.“
Continue reading...
Speaking to reporters on the side of the Cyber Security Agency of Singapore’s (CSA) Exercise Cyber Star, the national cybersecurity crisis management exercise, Mr Shanmugam said that when it comes to naming any country responsible for a cyber attack, “we always think about it very carefully”.
Responding to a question from CNA on reports tying the group to China, Mr Shanmugam said: “Media coverage (and) industry experts all attribute UNC3886 to some country … Government does not comment on this.
“We release information that we assess is in the public interest. Naming a specific country is not in our interest at this point in time.”
UNC3886 has been described by Google-owned cybersecurity firm Mandiant as a "China-nexus espionage group" that has targeted prominent strategic organisations on a global scale.
Mr Shanmugam had announced on Jul 18 that Singapore is actively dealing with a "highly sophisticated threat actor" that is attacking critical infrastructure, identifying the entity as UNC3886 without disclosing if it was a state-linked actor.
He said the threat actor poses a serious danger to Singapore and could undermine the country's national security, and added that it was not in Singapore's security interests to disclose further details of the attack then.
When asked the following day about UNC3886's alleged links to China and possible retaliation for naming them, Mr Shanmugam, who is also Home Affairs Minister, said this was "speculative".
"Who they are linked to and how they operate is not something I want to go into," he said.
Responding to media reports in a Jul 19 Facebook post, the Chinese embassy in Singapore expressed its "strong dissatisfaction" at the claims linking the country to UNC3886, stating that they were "groundless smears and accusations against China".
“In fact, China is a major victim of cyberattacks," it wrote.
"The embassy would like to reiterate that China is firmly against and cracks down (on) all forms of cyberattacks in accordance with law. China does not encourage, support or condone hacking activities."
On Friday, Mr Shanmugam also gave his reasons for disclosing the identity of threat actors like UNC3886.
“We look at the facts of each case (and) the degree of confidence we have before we can name. And when we decide to name the threat actor, we look at whether it is in Singapore's best interest,” said Mr Shanmugam, who is also the home affairs minister.
In this case, the threat, attack and compromise to Singapore’s infrastructure was “serious enough” and the government was confident enough to name UNC3886 as the perpetrators, he said.
“Here, we said this is serious. They have gotten in. They are compromising a very serious critical infrastructure. Singaporeans ought to know about it, and awareness has got to increase. And because of the seriousness, it is in the public interest for us to disclose,” said Mr Shanmugam.
ATTACKS HAVE HAPPENED ELSEWHERE
Mr Shanmugam was accompanied at Friday’s exercise by Minister for Digital Development and Information Josephine Teo, who is also Minister-in-Charge of Cybersecurity.
Held at the Singapore Institute of Technology in Punggol, the exercise saw teams from critical sector organisations tackle cybersecurity challenges based on key threats, such as advanced persistent threats (APTs) and attacks on critical systems.
APTs are a type of prolonged cyberattack typically carried out by well-resourced threat actors.
Coordinating Minister for National Security and Minister for Home Affairs K Shanmugam and Minister for Digital Development and Information Josephine Teo watching a live technical demonstration of an exhibit at Exercise Cyber Star at Singapore Institute of Technology on Aug 1, 2025. (Photo: CNA/Jeremy Long)
“There’re close to about 500 participants today. They come together, put a face to a name, exercise real life scenarios, things which have happened elsewhere,” said Mr Shanmugam, emphasising that such incidents are “not theoretical”.
During the event, Mr Shanmugam was shown a demonstration of an attack on a port, where crane operations were paralysed and energy supply was cut off.
He was also briefed on the response plan for when the public transport system gets attacked, with millions of people commuting and the fare systems are targeted.
“You have to exercise, you have to bring people together. Government has got a high level of knowledge.”
The private sector, meanwhile, is focused on getting things done for their business, he added.
“Now, they need their knowledge and abilities to also increase. So we've got to work together,” said Mr Shanmugam.
Mrs Teo had announced earlier this week that owners of Singapore's critical information infrastructure will, from later this year, be required to report to CSA any incidents suspected to be caused by APTs.
Mr David Koh, chief executive of CSA, said: “With cyberattacks increasing in frequency and sophistication, it is important for the government to work closely with Singapore’s critical sectors and companies to enhance crisis response capabilities and ensure the continual delivery of essential services.
“Malicious actors have targeted Singapore and will continue to do so. Hence, we need to be prepared to respond to such threats.“
Continue reading...