What is UNC3886? Inside the state-linked group attacking S'pore's critical information infrastructure

Singapore's critical information infrastructure has come under attack from cyber espionage group UNC3886.

A state-linked advanced persistent threat (APT) actor, it is a menace to national security in many countries, including Singapore.

Naming the nation's attacker for the first time on July 18, Coordinating Minister for National Security K. Shanmugam said: "UNC3886 poses a serious threat to us, and has the potential to undermine our national security. Even as we speak, UNC3886 is attacking our critical infrastructure right now."

What is UNC3886? Are essential services in Singapore safe from the attack? The Straits Times answers questions about the attack and APTs.

1. Who is UNC3886?

First detected in 2022 by cyber security firm Mandiant, UNC3886 is a China-linked cyber espionage group.

UNC3886's attempts are known to be persistent, with the intention of intelligence gathering and long-term spying.

The "UNC" label stands for "uncategorised" or "unclassified" as industry analysts have not formally classified it. "This does not mean that it is any less of a threat," said Mr Shanmugam.

2. How does UNC3886 operate?

Mr Vivek Chudgar, managing director of cyber security firm Mandiant Consulting in Asia Pacific and Japan, described UNC3886 as highly adept.

"UNC3886 operates in a sophisticated, cautious and evasive nature," he said, adding that the group largely focuses on defence, technology and telecommunication organisations in the US and Asia.

The Chinese espionage group is known to target network devices, virtualisation systems and critical information infrastructure with zero-day exploits.

Zero-day exploits are attacks that take advantage of security vulnerabilities in software that vendors have yet to develop patches for.

Unpatched vulnerabilities in the software of network devices, hypervisors, and virtual machines are typically harder to monitor, said Mr Chudgar.

UNC3886 also employs custom malware and tools available on the victim's system to evade detection.

Like other APT attackers, UNC3886 is persistent in that even if detected and removed from the network, it will attempt to re-enter the target networks.

3. What cyber attacks has UNC3886 been responsible for?

Mr Chudgar said UNC3886 has attacked organisations in the United States, Europe, and parts of Asia. Specifically, it has targeted sectors such as government, telecommunication, technology, aerospace, defense, energy and utility.

"UNC3886 poses a severe threat to national security for the organisations and the countries targeted," he added.

The Chinese espionage group has exploited vulnerabilities in routers from Juniper Networks, network security devices from Fortinet and virtual machines from VMware.

4. Are essential services in Singapore safe from the attack?

On July 18, the Cyber Security Agency said that UNC3886's activities have been detected in parts of Singapore's critical information infrastructure that power essential services.

"We have been investigating UNC3886's activities," said CSA, which is leading the investigations. The agency said it is monitoring all critical services sectors and sharing threat intelligence, but did not name the affected sectors.

Singapore's 11 critical services sectors are: energy, water, finance, healthcare, transport, government, infocomm, media as well as security and emergency services.

The agency is also working closely with other government bodies and partners to support the unnamed affected organisations.

CSA also did not say how long UNC3886 has been in the affected networks, saying instead: "These attacks are often protracted campaigns and CSA will need to preserve operational security by not disclosing further information at this stage."

5. What other APT attacks have hit Singapore?

In 2014, the authorities detected a security breach in the Ministry of Foreign Affairs' technology systems. Steps were taken to isolate the affected devices and the networks were strengthened following the discovery.

In what was the first sophisticated attack against universities here, National University of Singapore and the Nanyang Technological University discovered intrusions in their networks in 2017.

No classified data or student personal data was stolen. But the attackers were believed to have targeted the two institutions to steal government and research data. The varsities were involved in government-linked projects for the defence, foreign affairs and transport sectors.

Then in 2018, Singapore experienced its worst data breach involving the personal particulars of 1.5 million patients, including then Prime Minister Lee Hsien Loong.

The attacker in the SingHealth breach was said to be persistent in its efforts to penetrate the network, bypass the security measures and illegally access and exfiltrate data.

The attacker is believed to have lurked in the healthcare group's network for at least nine months. Its mission: to access SingHealth's electronic medical records system, a critical information infrastructure in Singapore. The unauthorised transfer of sensitive data took place in 2018.

Most recently in 2024, about 2,700 devices in Singapore were discovered to have been infected after CSA took part in a cyber operation against a global botnet.

APT hackers behind the botnet exploited poor cyber hygiene practices to infect devices, including baby monitors and internet routers. No critical information infrastructure was affected by the attack.