Opening Speech by Mr K Shanmugam, Coordinating Minister for National Security and Minister for Home Affairs, at CSA 10th Anniversary Dinner

TRANSCRIPT OF OPENING SPEECH BY MR K SHANMUGAM, COORDINATING MINISTER FOR NATIONAL SECURITY AND MINISTER FOR HOME AFFAIRS, AT CSA’S 10TH ANNIVERSARY DINNER, “THE NEXT 10 YEARS: SECURING OUR CYBERSPACE AND DIGITAL FUTURE”, 18 JUL 2025

Mr Teo Chee Hean, Senior Advisor, PMO

Mrs Josephine Teo, Minister for Digital Development and Information, and Minister-in-charge of Cybersecurity and Smart Nation

Mr Tan Kiat How, Senior Minister of State, MDDI

Mr David Koh, Commissioner of Cybersecurity and Chief Executive of the Cyber Security Agency of Singapore (CSA),

Distinguished Guests, Ladies and Gentlemen,

Very good evening to all of you.

1.          We are here to celebrate the Cyber Security Agency’s (CSA) 10th Anniversary. In the last 10 years, CSA has made significant progress.

CSA’s Formation

2.          10 years ago, Singapore was just starting on its Smart Nation journey. We were exploring how digital technology can transform our economy and our way of life.

3.          We knew then – we already had then, various malicious actors, cyber criminals, and they were exploiting cyberspace. There were state-linked actors who were conducting attacks against a wide array of targets, including critical information infrastructure (or CII); and data breaches, website defacement by hacktivist groups.

4.          Some of you will remember the cyber attacks by the hacktivist group called Anonymous. They defaced several government websites.

5.          It was clear that we needed to go digital. But we also needed to do so in a manner that was safe and secure.

6.          So, we set up CSA. It was, and is, a dedicated national authority, with centralised oversight of Singapore’s cybersecurity.

7.          CSA was placed under the Prime Minister’s Office.

8.          That reflected the national importance of cybersecurity, and that gave CSA a clear mandate to drive policy, and to coordinate efforts both in peacetime and during a crisis.

9.          CSA was managed by MDDI, because it would need to work with the digital industry, and MDDI engages the digital industry.

10.        Officers from security agencies including MINDEF and MHA were seconded to CSA. Many are here today, including founding and continuing Chief Executive David Koh.

11.        10 years on, CSA has grown from its founding group of about 70 officers; today, to almost 500 officers. It has developed crucial partnerships both domestically and internationally; and it has significantly raised the cybersecurity posture of Singapore.

12.        I think we can say: well done to CSA, its management, and its officers; and I think they deserve a round of applause.

A More Dangerous World

13.        The world today, if anything, has even more dangers in cyberspace, compared to 10 years ago.

14.        Malicious cyber actors are using new technologies. Cyber criminals are using AI to generate phishing emails and develop malware.

15.        It is no longer enough to only guard our most critical systems. Potential targets have increased. They include external vendors, suppliers, service providers along the entire supply chain. Even residential devices, like home routers, IP cameras, are now being exploited by cyber attackers.

16.        And that is in parallel with the tensions which are rising around the world. Conflicts in the physical domain today are always accompanied by attacks in the digital domain. Both state and non-state actors have launched several attacks on critical infrastructure.

Malicious Cyber Activity in Singapore

17.        Singapore has not been spared. We have been and we continue to be attacked by cyber threat actors.

18.        A survey showed that nearly 80% of organisations have experienced some form of cyber attack. And most of these are by cyber criminals at relatively low level. For example, earlier this year, Toppan Next Tech experienced a ransomware attack. Customer information from financial institutions was extracted.

19.        ‘Hacktivists’ and foreign actors have also used cyber to promote their agendas. Agendas – both political and ideological agendas.

20.        In October last year, the Government blocked 10 inauthentic websites. These had been set up by foreign actors and they were masquerading as Singapore websites. And the websites, in our assessment, had the potential to be used for Hostile Information Campaigns against us and our interests.

Advanced Persistent Threats

21.        But moving on, tonight, I would like to speak about a very serious matter, a particular category of cyber threats.

22.        They are known as Advanced Persistent Threats, or APTs.

23.        APTs are highly sophisticated and well-resourced actors.

24.        They typically act on State objectives. They steal sensitive information, they disrupt essential services.

25.        APT groups have been identified from Sandworm, “Typhoons” cluster.

26.        They attack critical infrastructure like healthcare, telcos, water, transport, power.

27.        If you look at the example of Ukraine, cyber attacks were launched and caused a power outage. And the cyber attacks coincided with massive missile strikes.

28.        In April 2025, this year, there was a cyber attack on SK Telecom. SK Telecom is a major South Korean telecommunications company. The attack exposed the SIM data of nearly 27 million users. It caused widespread concern across SouthKorea.

29.        Singapore has been attacked as well. We are a relevant country geopolitically. We are a digital and data hub that connects the world. People want to get into our systems, to both influence us and threaten us.

30.        There have been several attacks. We don’t make all of them public for National Security Reasons.

31.        I will refer to some of these attacks, to give a sense of the threat.

32.        More than 10 years ago in 2014, an attacker likely linked to a foreign Government gained access into MFA’s IT systems. The attacker tried to steal sensitive information.

33.        In 2017, an APT likely linked to a foreign Government breached the IT networks of NUS and NTU. The objective was probably to steal information related to Government and research.

34.        In 2018, attackers likely linked to a foreign Government infiltrated SingHealth’s system and stole more than 1.5 million patient records.

35.        Last year, attackers likely linked to foreign Government infected over 2,700 Singapore devices, such as baby monitors and routers.

36.        These devices formed part of a global botnet. It comprised hundreds of thousands of everyday devices.

37.        This botnet could have been used to disrupt critical services.

38.        And we do have to recognise that, of course, these sorts of activities are not confined to the digital sphere. We have also been consistently targeted in the physical world since our independence, and even before independence. In simple language: our people are targeted, recruited, to work for foreign Governments. There are also constant attempts to influence Singaporeans in a variety of ways. Some will recall, in 2017, we identified an “agent of influence” of a foreign country, and his permanent residence (PR) status was revoked.

39.        Now I have shared a very small number of examples of the cyber attacks, attempts to influence, that we have been dealing with.

40.        There are several more that we have not disclosed publicly for national security reasons, as I have said.

41.        What I can say is that the number of APT attacks has been increasing. In four years, from 2021 to 2024, suspected APT attacks on Singapore increased more than four-fold.

42.        I listed some of the APT incidents in Singapore, in an Annex to my speech.

43.        One of the APT groups conducting such attacks is UNC3886.

44.        The “UNC” label stands for “uncategorised” or “unclassified”.

45.        It simply means that industry analysts have not formally classified it but that does not mean it is any less of a threat.

46.        The industry has identified UNC3886 as a highly sophisticated threat actor. It deploys advanced tools to compromise systems.

47.        It is also able to evade detection and maintain persistent access in victim networks.

48.        Industry has associated UNC3886 with cyber attacks against critical areas, such as defence, telcos, and technology organisations in the United States and in Asia.

49.        The intent of this threat actor in attacking Singapore is quite clear. They are going after high value, strategic targets. Vital infrastructure that delivers our essential services. If it succeeds, it can conduct espionage, and it can cause major disruption to Singapore and Singaporeans.

50.        UNC3886 poses a serious threat to us, and has the potential to undermine our national security.

51.        Even as we speak, UNC3886 is attacking our Critical Infrastructure, right now.

52.        CSA and relevant agencies are actively dealing with the attack and they are working with the relevant CII owners.

53.        It is not in our security interests to disclose further details of this attack at this point in time. But I can say that it is serious and it is ongoing. And it has been identified to be UNC3886.

54.        We will assess whether it is in our interest to disclose more details, later. I also have in an Annex to the speech, set out more details on UNC3886.

A Serious Threat to our National Security

55.        The takeaway for all of us is that Singapore has been, and Singapore continues to be, under attack by APTs and foreign actors.

56.        They seriously threaten our national security.

57.        Let me explain with an illustration.

58.        Say there is a cyber attack on our power system. This can disrupt our electricity supply. The knock-on implications: other essential services, like water supply, transport, medical services – in fact, everything that depends on power, everything will all be affected.

59.        There are also economic implications. Our banks, airport, and industries would not be able to operate. Our economy can be substantially affected.

60.        Not just power systems. Attacks to our telco systems and payment systems can have very serious consequences.

61.        Attacks on our systems and infrastructure will then impact on how we do business.

62.        Who will be our vendors, what will be our supply chains. All that will have to be relooked at. And if we decide that we cannot trust them, we may choose not to use them.

63.        And at the same time, trust and confidence in Singapore as a whole, can also be affected. Businesses may shy away if they are unsure about our systems – whether the systems are clean, resilient, safe.

Cyber Defence: A Vigilant and Unified Response

64.        We will act in Singapore’s interests and defend Singapore’s cyberspace.

65.        I earlier shared about a global botnet.

66.        Upon discovery, Singapore participated in a global operation to disrupt it. This is just one example. There are many others.

67.        But we have to be realistic as well. We are up against very sophisticated actors – some backed by countries, countries with vast - unlimited almost - resources, and resources both in manpower and in technology.

68.        They can deploy resources at a formidable scale.

69.        Even countries at the frontier of technology have not been able to prevent APT attacks on their systems.

70.        So realistically, we have to accept that some attacks at least, will get through.

71.        And in the face of such threats, we have to continue to strengthen Singapore’s cyber defences, focus on not just preventing the attack, but preventing successful attacks, but also contain the threat, when the attackers penetrate the system.

72.        CSA and other security agencies have been coordinated and united in national cyber defence.

73.        They are on constant alert, working hard together to detect and contain cyber threats, and defend our systems.

74.        CSA will continue to work with partners like CII owners to strengthen the protection of our Critical Infrastructure.

75.        We will also continue to look at improving our crisis response capabilities and readiness. Cybersecurity exercises, like Exercise Cyber Star, help. We will also update our Cybersecurity Act to give more powers to deal with the threats.

76.        Beyond owners of CII, CSA will continue to build up our digital ecosystem, and help companies raise their cybersecurity posture.

77.        And on the international stage, Singapore will continue to do our part to preserve a secure and rules-based cyberspace.

78.        We recently concluded our chairing of the 2^nd UN Open-Ended Working Group on Security of and in the use of ICTs.

79.        The Singapore International Cyber Week (SICW), is also an important platform for governments and industry players from around the world to come together, have important conversations, and deepen partnerships on cybersecurity.

Conclusion

80.        Let me end by saying, I have tried to give a sense of the cyber threats facing Singapore.

81.        The road ahead will be challenging. We have to stay agile, adapt to the emerging threats. We need collective will and commitment to try and do our best to secure our cyberspace; and from CSA’s perspective, these are not just broad statements, but the 10 year track record shows that that commitment will be translated into reality.

82.        Once again, congratulations to CSA on your 10th Anniversary. I wish you every success in the years to come.

. . . . .

ANNEX 1

THE ADVANCED PERSISTENT THREAT (APT) LANDSCAPE IN SINGAPORE

Advanced Persistent Threat (APT) groups are a class of cyber threat actors which are highly skilled, well-resourced, and usually state-linked. They typically conduct cyber operations to further state objectives, which can range from intelligence collection and industrial espionage to the disruption of critical systems and democratic processes.

Characteristics of APTs

APT groups typically employ a variety of techniques to compromise their targets. These can range from exploiting poor cyber hygiene practices such as weak passwords, to sophisticated zero-day exploits. Once in a system, they typically use advanced techniques to evade detection and maintain persistent access. This makes them challenging to prevent and detect. Examples of techniques typically used by APT groups include:

              a. “Zero-day” exploits. These refer to attacks exploiting a previously unknown vulnerability, before any available remediation.

              b. “Living-off-The-Land" (LoTL) techniques. These refer to techniques whereby a threat actor uses only tools available on the victim’s system. This reduces the attacker’s footprint and makes detection of their activities more challenging.

              c. Supply-chain attacks. These refer to attacks where threat actors compromise a trusted third-party vendor, software, or service provider to gain unauthorised access to target organisations, often bypassing traditional security measures.

APT groups have been known to target high-value targets such as critical infrastructure in the power, water, telecommunications and healthcare sectors. In recent years, APT activity has intensified, driven primarily by escalating geopolitical tensions.

APT Activities in Singapore

Singapore has been and continues to face attacks from APT groups. This is due to our geopolitical status, and because we are a digital and data hub that connects the world.

Between 2021 and 2024, detected APT activity in Singapore more than quadrupled. APT activities have been observed across both the private and public sectors, various industries, as well as across Critical Information Infrastructure (CII) and non-CII systems. Notable APT attacks against Singapore include:

              a. 2014: The Ministry of Foreign Affairs’ IT system was breached. A sophisticated threat actor managed to gain access to MFA’s systems. Upon detection, the affected devices were immediately isolated, and appropriate security measures were taken to strengthen the network.

              b. 2017: The National University of Singapore and Nanyang Technological University IT systems were also breached in a carefully planned and targeted attack. The objective was potentially to steal information related to Government or research. However, as the universities’ systems were separate from government IT systems, the extent of the APT activities were limited.

              c. 2018: SingHealth’s database containing patient personal particulars and outpatient dispensed medication records was the target of a major cyber- attack. About 1.5 million patients had their non-medical personal particulars illegally accessed and copied. The medication records of about 160,000 patients, including that of then-Prime Minister Lee Hsien Loong, were also exfiltrated.

              d. 2024: About 2,700 devices in Singapore were discovered to have been compromised to form a global botnet. This global botnet could be leveraged to conduct espionage activities on its victims, and potentially conduct disruption activities.

There are ongoing attacks on our critical infrastructure, at present. We have detected the presence of an APT group, UNC3886, for some time now. The threat actor is going after high-value and strategic targets: vital infrastructure, that deliver our essential services. If they succeed, they could conduct espionage, or cause major disruption to Singapore and Singaporeans.

The Cyber Security Agency of Singapore, together with relevant agencies, are actively on-site and working with the affected organisations to deal with the incident. We are unable to disclose further details at this juncture, due to national security considerations. We will assess whether it is in our interest to disclose more details later.

ANNEX 2

ABOUT “UNC3886”

UNC3886* is a cyber threat actor with advanced, persistent threat capabilities. According to cybersecurity vendors, the group has been active since at least late 2021 and has been associated with cyber attacks against critical infrastructure, such as defence, telcos and technology organisations in the US and Asia. Cybersecurity vendors have also assessed that UNC3886 is focused on geopolitical and economic espionage, and potentially disruption objectives.

*”UNC” is cybersecurity company Mandiant’s nomenclature for an as-yet unclassified or uncategorised, but distinct threat actor group, identified through its consistent use of the same hacking techniques. While UNC3886 has yet to be attributed to a known threat actor group, it has been observed carrying out cyber attacks and other malicious activities.

UNC3886 has been observed to execute well-planned attacks against their targets. For example, UNC3886 has been observed to exploit “zero-day” vulnerabilities in network devices from major vendors such as Fortinet, VMware, and Juniper Networks, to gain access. They have even been observed to chain multiple exploits together, an advanced technique which allows the threat actor to escalate their privileges and move deeper into the network than they could have done by targeting individual vulnerabilities.

Once in a system, UNC3886 has been observed to use advanced techniques to evade detection and maintain long-term access to compromised environments. For example, they have been known to exploit virtualisation infrastructure (e.g. hypervisors and v-centres) to bypass traditional network protections such as firewalls and network detection and response solutions. They have also been observed to deploy highly advanced malware (e.g. rootkits) that allows them to gain control of systems without being detected. The latter is the conceptual equivalent of modifying CCTV feeds to erase their presence from the footage so they can move around and conduct malicious activities, undetected.

CSA has detected the presence of UNC3886 in our networks. CSA is leading the investigations, and is working closely with relevant agencies and partners to support affected organisations. In addition, we are monitoring all critical sectors and sharing threat intelligence so that they can take preventive measures. These attacks are often protracted campaigns, and CSA will need to preserve operational security by not disclosing further information at this stage.