The fight against UNC3886, a cyberattack group that targeted Singapore’s four major telcos, involved more than 100 people across six government agencies.

From left: Mr Eric Chen from IMDA, ME5 Eugene Tay from SAF DIS, Dr Adrian Tang from CSIT and Mr Benedict Chong from CSA were part of the teams containing UNC3886's cyberattack. (Photos: CNA/Syamil Sapari)

This audio is generated by an AI tool.

However, those in the fight against UNC3886 told CNA that they were ultimately ready to face the task at hand, due to years of preparation and capacity-building.

UNC3886, an advanced persistent threat (APT) actor, targeted Singapore’s four major telcos - Singtel, M1, Starhub and Simba. The operation to contain the threat has spanned more than 11 months.

More than 100 people across six government agencies were involved – the Cyber Security Agency of Singapore (CSA), Infocomm Media Development Authority (IMDA), Centre for Strategic Infocomm Technologies (CSIT), the Singapore Armed Forces’ Digital and Intelligence Service (DIS), Internal Security Department and GovTech.

Among them was Mr Benedict Chong, assistant director of CSA’s National Cyber Incident Response Centre, who coordinated investigations on the ground and provided regular updates to higher management.

“Because of the scale of this incident, we definitely had to work longer and existing projects, of course, had to be put on the back burner or shelved temporarily while we investigated this incident and tried to contain the threat,” he said.

He added: “Sometimes weekends also had to be burnt, so definitely the social affairs had to be slightly restricted.”

There was also a higher operational cadence compared with regular work, due to the uncertain nature of the threat, said Dr Adrian Tang, group director of CSIT’s Digital Defence Hub.

He oversaw the CSIT's efforts in the operation, with the organisation contributing its technical insights to shape how the investigation was carried out.

CSIT also connected the dots between the disparate findings and operationalised some of the insights into capabilities that could be used.

“We just have to have that mindset that we have to stay ready on whatever we might find, whatever we have to actually address,” he said, adding that it also happens outside office hours.

In her speech at an engagement event with cyber defenders on Monday (Feb 9), Minister for Digital Development and Information Josephine Teo noted that they worked round the clock to monitor and detect hostile activities.

“It was year-end, there was Christmas. Before that, there was Deepavali. Upcoming, we have Chinese New Year. We can expect that our cyber defenders will still be hard at work whilst we and our families get to enjoy the bonding,” she said.

That hard work meant that although UNC3886 managed to gain access to a few critical systems, it did not get far enough to be able to disrupt services.

There is also no evidence so far that any sensitive customer data was stolen.

Codenamed Operation Cyber Guardian, the relentless defence took a mental toll on some of those involved.

ME5 Eugene Tay, team lead in the Threat Hunting Centre of the DIS’ Cyber Protection Group, said that his team had to comb through “a very large volume of data” for the operation, something which was very time-intensive and required sustained focus.

He was part of a composite team with CSA and IMDA that also worked closely with the cybersecurity departments of the telcos to hunt for cyber threats in the affected network.

“It also placed a high cognitive load on my cyber defenders. Despite this mentally exhausting process, my team remained highly focused and mission-oriented,” he said, adding that the team was driven by a collective commitment to push through the demands and stay disciplined.

For ME5 Tay, the effort was “mentally exhausting” due to the high intensity.

Whenever he got home from work, he was typically quite tired and would rest. He also had less time to spend with his family.

“They don't know exactly what I was doing. They just know that I'm away for work,” he said, highlighting the high level of operational confidentiality needed.

Due to the specific nature of the targets, Mr Chong said that his team faced some technical challenges.

“Because the telcos’ networks were pretty complex, the team had to learn on the spot what each system does, what each system is connected to, and so on and so forth.

“So the team had to really learn on the job as we were investigating the incident,” he added.

The experience of working with the unfamiliar was similarly shared by IMDA manager for data operations and intelligence Eric Chen, whose team of hunters proactively scoured for threats in the systems.

“Obviously, we need to study the threat actors of interest … together with our partners, the government agencies that we have worked with, as well as other sources which I can’t disclose,” he said.

Together, they collated the intelligence and used it to develop an approach to detect and hunt for other nefarious actors in the systems.

Because the operation involved multiple agencies, the different teams had to adapt to each other’s working styles.

“These officers, of course, brought along with them different backgrounds, they brought along with them different processes from their parent agencies. So initially, there was some teething or some friction between the officers from various government agencies,” said Mr Chong.

However, they ultimately managed to pull through and work together, driven by the single overriding objective of defending Singapore’s critical information infrastructure, he said.

Dr Tang emphasised that another key challenge was the sheer complexity and dynamism of the actual operation.

“Many things start coming all at once. Sometimes you can have data points and signals coming from different places,” said Dr Tang.

The challenge was in being able to connect the dots quickly, as the battle against UNC3886 raged on.

Dr Tang, who has been in the sector for about 20 years, added that responding to the attack was not “a big bang” moment for his agency, as it was already doing capability building before that.

“CSIT has always been delivering advanced cybersecurity solutions to the government. In fact, when this thing happened, we were involved right on the onset,” he said.

ME5 Tay said that he did not feel any sense of anxiety, even when the scale of the attack truly dawned upon him, as he knew he was surrounded by professionals with a diverse set of skills.

“Cybersecurity is a team sport, and the diverse skill set of the cyber defenders across the various agencies, as well as our mutual trust, actually helped us to better respond to this incident,” he said.

Mr Chong said that facing the UNC3886 attack has been “quite an eye-opening experience”.

It is the type of operation that professionals in the sector would want to be a part of, as it is both a personal learning experience and also contributes to a larger national effort to ensure that essential services are not disrupted, he said.

Get our pick of top stories and thought-provoking articles in your inbox

Stay updated with notifications for breaking news and our best stories

Join our channel for the top reads for the day on your preferred chat app

We know it's a hassle to switch browsers but we want your experience with CNA to be fast, secure and the best it can possibly be.

To continue, upgrade to a supported browser or, for the finest experience, download the mobile app.

Upgraded but still having issues? Contact us