Cyber group UNC3886 has nothing to do with China: China embassy

UNC3886, a cyber espionage actor which targets prominent strategic organisations globally, has nothing to do with China, according to a spokesperson from the Chinese embassy in Singapore.

The spokesperson also said China was strongly dissatisfied with being supposedly "smeared without basis" and added that country was opposed to any form of cyber attacks, in accordance with the law, Lianhe Zaobao reported.

The embassy's remarks followed a statement from the Cybersecurity Agency of Singapore (CSA) which said that the activities of UNC3886, have been detected in Singapore's Critical Information Infrastructure (CII).

However, neither the CSA nor Coordinating Minister for National Security K Shanmugam mentioned China in their remarks on the UNC3886 case.

Spokesperson: China is also a victim of cyberattacks

The spokesperson said the statement is in response to reports from the Singaporean media that linked UNC3886 to China.

It added that the media quoted information from a "certain country's" cybersecurity company in linking the espionage group to China.

The spokesperson said China expresses "strong dissatisfaction" with this and pointed out that China is also one of the "main victims" of cyberattacks.

The country also does not encourage, support or condone such attacks, the spokesperson said.

"Cybersecurity is a global challenge. China is willing to continue to cooperate with all parties, including Singapore, to jointly maintain cyberspace security," the spokesperson added.

Earlier on Jul. 18, at CSA's 10th Anniversary Dinner, Minister for Home Affairs and Coordinating Minister for National Security K Shanmugam described UNC3886 as a highly sophisticated threat actor that deploys advanced tools to compromise systems.

He elaborated that UNC3886 has been detected in Singapore's systems and represents a significant threat to our critical infrastructure.

The CSA is working with the relevant partners to boost Singapore's defence against such threats.

However, Shanmugam did not state the name of any country linked to UNC3886.

What is UNC3886?

UNC3886 is an Advanced Persistent Threat (APT) that focuses on geopolitical and economic espionage.

The UNC label stands for uncategorised or unclassified.

It deploys advanced tools to compromise systems and can evade detection, maintaining persistent access within its victim networks.

According to Mandiant, a cyber defence company, UNC3886 is a highly adept China-nexus cyber espionage group that historically targets network devices and virtualisation technologies with zero-day exploits, which refers to attacks exploiting a previously unknown vulnerability, before any available remediation.

The group appears to focus mainly on defence, technology, and telecommunication organisations located in the U.S. and Asia.

It added that UNC3886 continued to prioritise stealth in its operations through the use of passive backdoors, along with log and forensics artifact tampering, indicating a focus on long-term persistence while minimising the risk of detection.

The group also targets internal networking infrastructure, including Internet Service Provider (ISP) routers, network authentication services such as the Terminal Access Controller Access-Control System (TACACS+), and terminal servers with access to the routers, to gain privileged initial access.

This allowed UNC3886 to enter the system and perform restricted operations.

Evades detection

Once in a system, UNC3886 has been observed to use advanced techniques to evade detection and maintain long-term access to compromised environments.

For example, they have been known to bypass traditional network protections such as firewalls and network detection and response solutions.

They have also been observed to deploy highly advanced malware that allows them to gain control of systems without being detected.

This is the conceptual equivalent of modifying CCTV feeds to erase their presence from the footage, so they can move around and conduct malicious activities undetected.

Top image via Canva