When Singapore was hit by the worst cyberattack it had faced back in 2018, the government said it was the work of state-backed hackers but stopped short of naming them.
About 1.5 million patients at the Singhealth healthcare provider had their medical data stolen. Among those affected was then-Prime Minister Lee Hsien Loong, who was targeted “specifically” and “repeatedly”.
Despite the gravity of the situation, the Singapore government decided not to say who was behind the attack. Disclosing the culprits, it argued, would not help the situation or make the country more secure.
So, it may seem surprising to hear Coordinating Minister for National Security, K Shanmugam, call out a state-linked hacker group mounting an ongoing cyberattack on Singapore’s critical infrastructure on July 18, in an event to mark the 10th anniversary of the country’s Cyber Security Agency.
By naming the group, UNC3886, he was clear who was behind the latest attacks on Singapore. Google-owned cybersecurity firm, Mandiant, which has years of experience tracking state-sponsored attacks, linked it to China.
Understandably, few details are available so far, since the cyberattack is ongoing, but there is no question of the seriousness. Units in the Singapore military are now responding to it.
“If it [the hacker group] succeeds, it can conduct espionage, and it can cause major disruption to Singapore and Singaporeans,” cautioned Shanmugam, who is also Home Affairs Minister.
Asked by reporters a day later, he said he did not want to get into who the hacker group is linked to. By naming it, he said he wanted Singaporeans to know where the attack was coming from.
Inevitably, questions will arise on the timing. Are the cyberattacks larger in scale this time or was a sensitive part of Singapore’s critical infrastructure targeted? Did the attackers go beyond espionage to potentially disrupt services?
Singapore, a well-connected global hub, can expect to be probed and attacked by cyber adversaries frequently. Crucially, what was different this time? Was a line crossed?
One thing that’s clear is that the government seems to be taking a tougher stance. Though it has not mentioned China, pinpointing UNC3886 is enough to show that Singapore faces cyber threats similar to others in the region.
Singapore has close ties with China, drawing large investments from its Asian neighbour. It also buys the latest fighter planes from the United States, whose aircraft carriers visit often.
The small country has been careful not to be drawn into the geopolitical rivalry, and it has not taken sides in the South China Sea disputes in its backyard. So, the unusual step of naming a hacker group that others could easily link to China has to be a calibrated move.
In response, the Chinese embassy in Singapore has denied any role in the attacks. It also scolded several Singapore media outlets for linking the cyber attackers to China, while saying it was ready to work with Singapore and the rest of the world to “protect cybersecurity”.
Perhaps this is the diplomacy that Singapore seeks. No longer keeping silent while being attacked, it would share its experience, joining other countries also attacked by the same hackers.
Or perhaps the intention is plainer. It may be to simply prepare citizens for potentially disruptive cyberattacks on critical infrastructure, which will likely come from adversaries that are sophisticated, well-funded and potent.
Despite being well connected, Singapore has been spared the worst impacts from cyberattacks so far. A few weeks out from the country’s 60th birthday, the warning of an ongoing cyberattack is a timely reminder of the real threats it constantly faces.
