Espionage actor UNC3886 detected in S'pore's critical infrastructure, Cybersecurity Agency of S'pore investigating

The Cybersecurity Agency of Singapore (CSA) has been investigating the activities of cyberthreat UNC3886, which have been detected in Singapore's Critical Information Infrastructure (CII).

UNC3886 is a China-linked cyber espionage actor that targets prominent strategic organisations globally.

According to a statement from CSA, CSA is leading investigations and is working closely with the relevant agencies and partners to support affected security.

CSA will continue to work with partners like CII Owners to strengthen the protection of Singapore's critical infrastructure

The agency added that it will monitor all critical sectors and share threat intelligence, enabling them to take preventive measures.

"These attacks are often protracted campaigns and CSA will need to preserve operational security by not disclosing further information at this stage."

Intent is quite clear

Speaking at CSA's 10th Anniversary Dinner, Minister for Home Affairs and Coordinating Minister for National Security K Shanmugam described UNC3886 as a highly sophisticated threat actor that deploys advanced tools to compromise systems.

It is also capable of evading detection and maintaining persistent access in victim networks.

"The intent of this threat actor in attacking Singapore is quite clear.

It is going after high value strategic threat targets. Vital infrastructure that deliver essential services.

If it succeeds, it can conduct espionage and it can cause major disruption to Singapore and Singaporeans."

Shanmugam emphasised that UNC3886 poses a serious threat to Singapore and has the potential to compromise national security.

"Even as we speak, UNC3886 is attacking our Critical Infrastructure right now."

What is UNC3886?

UNC3886 is an Advanced Persistent Threat (APT) that focuses on geopolitical and economic espionage.

The UNC label stands for uncategorised or unclassified.

It deploys advanced tools to compromise systems and can evade detection, maintaining persistent access within its victim networks.

According to Mandiant, a cyber defence company, UNC3886 is a highly adept China-nexus cyber espionage group that historically targets network devices and virtualisation technologies with zero-day exploits, which refers to attacks exploiting a previously unknown vulnerability, before any available remediation.

The group appear to focus mainly on defence, technology, and telecommunication organisations located in the U.S. and Asia.

It added that UNC3886 continued to prioritise stealth in its operations through the use of passive backdoors, along with log and forensics artifact tampering, indicating a focus on long-term persistence while minimising the risk of detection.

The group also targets internal networking infrastructure, including Internet Service Provider (ISP) routers, network authentication services such as the Terminal Access Controller Access-Control System (TACACS+), and terminal servers with access to the routers, to gain privileged initial access.

This allowed UNC3886 to enter the system and perform restricted operations.

Evades detection

Once in a system, UNC3886 has been observed to use advanced techniques to evade detection and maintain long-term access to compromised environments.

For example, they have been known to bypass traditional network protections such as firewalls and network detection and response solutions.

They have also been observed to deploy highly advanced malware that allows them to gain control of systems without being detected.

This is the conceptual equivalent of modifying CCTV feeds to erase their presence from the footage, so they can move around and conduct malicious activities undetected.

Nearly 80 per cent of organisations experience cyber attacks

Shanmugam also shared that Singapore has been attacked by cyber threats.

He said a survey showed nearly 80 per cent of organisations in Singapore have experienced a cyber attack, most of which are perpetrated by cybercriminals.

Shanmugam added that "hacktivists" and foreign actors have also used cyber to promote their political and ideological agendas, citing how the government blocked 10 inauthentic websites set up by foreign actors masquerading as Singapore websites that had the potential to be used for hostile information campaigns.

Shanmugam also pointed out Singapore has been attacked by APT groups, noting that Singapore is geopolitically relevant and "people want to get into our systems, influence us, threaten us".

However, Shanmugam did not definitively state the name of any country linked to UNC3886.

The number of APT attacks in Singapore has increased, where suspected APT involved attacks on Singapore have increased more than 4-fold from 2021 to 2024.

"The takeaway for all of us: Singapore has been, and Singapore continues to be under attack by APTs and foreign actors. They seriously threaten our national security."

Top photos via Hannah Martens/Mothership and Canva