What Singapore's First Public Cyber Attribution Tells Us

‘The intent of this threat actor in attacking Singapore is quite clear’, Singapore’s Coordinating Minister for National Security and Minister for Home Affairs Mr. K Shanmugam noted.

‘They are going after high value, strategic targets. Vital infrastructure that delivers our essential services. If it succeeds, it can conduct espionage, and it can cause major disruption to Singapore and Singaporeans,’ he continued.

On 18 July, during the Cyber Security Agency’s 10th anniversary dinner, Minister Shanmugam used his first speech in his new role to call out a Chinese-linked cyber threat actor group ‘UNC3886' for targeting the country’s critical infrastructure.

Singapore, like most countries – and especially Southeast Asian ones – has historically refrained from publicly ‘naming and shaming’ other states or state-linked actors conducting cyber operations. But the speech marked a shift in that posture. For the first time, Singapore publicly attributed a cyber incident to an Advanced Persistent Threat (APT) group, signalling a new phase in how the country addresses the complex interplay between geopolitics and cyber operations, restraint and responses.

For many it might seem unprecedented, but a closer look reveals a Singapore that has been thinking and testing a ‘naming without (fully) naming’ strategy for some time. While Singapore did not go as far as to attribute explicitly to China, there are lessons to be learnt from a small, highly digitised city-state’s use of attribution in a region fraught with geopolitical tensions and with the pressures of a cyber power such as China.

Testing and Calibrating Approaches to Attribution

While this might have been the first time that Singapore named a cyber threat actor targeting the country, this was not a sudden leap into the spotlight. As a highly digitised small state with ambitious goals in technology and finance, Singapore is uniquely exposed economically, regionally, and geopolitically to a complex regional context. It is also deeply tied to China economically, as both a trading partner and investor. These conditions have historically shaped Singapore’s tightrope walk: strengthening national resilience and asserting sovereignty without jeopardising its strategic ambiguity or drawing direct retaliation.

The move to name UNC3886 did not come in isolation. Singapore’s public disclosures and references to cyber incidents have previously focussed on condemning behaviour rather than the actor per se. In 2022 and 2023, senior ministers from defence, communications, and national security portfolios repeatedly raised the alarm over the growing risks posed by state-linked cyber operations. The common thread throughout those speeches was the reference to the Viasat satellite communications hack attributed to Russian-linked actors – which led to widespread disruptions to Ukrainian satellite-based communications at the start of Russia’s full-scale invasion.

Though they did not name threat actors or states outright, the focus was on drawing the lines of unacceptable behaviour by strategically and consistently referencing the case in a short period of time. The reference to what is seen as one of the most consequential attacks in the lead-up to Russia’s full-scale invasion of Ukraine might seem distant from the Southeast Asian reality, and it is, geographically speaking. However, it was a relevant signal of concern from the highest levels of government with attacks on critical infrastructure. More importantly, it was an opportunity for them to test their public communication on certain cyber incidents, signal areas of concern to domestic and international audiences, and internally model its cyber posture to respond to similar cases.

Cyber attribution is rarely a binary decision. States do not simply jump from silence to confrontation. Instead, they move across a spectrum – developing internal frameworks, mapping escalation risks, and choosing whether to respond publicly, privately, or at all. Singapore’s calibrated move is reminiscent of France’s recent public attribution, where French officials only explicitly and publicly attributed an incident to a state in April this year after a long period of testing and calibrating. In both cases, the attribution came not as a last-minute reaction or an after-thought, but as a carefully timed diplomatic message.

As highlighted in a previous paper, public cyber attribution is one among many options to call out and respond to malicious cyber activity. Before going public, a state might engage in a series of activities such as diplomatic démarches, technical attribution or indirect (yet public) endorsements to other attributions by referencing them in speeches – as it has been the case with Singapore. Every presence/absence of words matter.

This also explains why Singapore’s language was so precise. UNC3886 is a threat actor cluster labelled by the cyber threat intelligence company Mandiant (now part of Google) – not an official designation used by Singaporean authorities to directly name a China-linked APT. Minister Shanmugam did not say ‘China.’ But the implication, to those familiar with threat intelligence lexicon, was crystal clear. This is an attribution that signals seriousness while preserving ambiguity. It leaves enough room to deter escalation or diplomatic fallout, without denying that Singapore was willing to publicly acknowledge a threat.

Beijing’s response mirrored this approach. A statement issued by the Chinese Embassy in Singapore did not address the Singaporean government directly. Instead, it was directed to Singaporean newspapers, stating that ‘China is a major victim of cyberattacks’ and ‘expresses its strong dissatisfaction with [the allegations] and opposes any groundless smears and accusations.’ The lack of direct engagement, and the framing of the response, reveal the unspoken rules of this rhetorical dance: one where the message has been received, but escalation has presumably been avoided (as far as public information goes).

If we consider that public cyber attribution is only ‘one’ response among many, one should assume that even though Singapore has decided to name UNC3886 this time does not mean (i) that they will continue to do so, (ii) that attributions (even if threat actor-specific) will be more frequent, (iii) nor that the evolution in approach is for them to reach a state of ‘full’ public attribution. Culture and context matters. Unlike Europe where the EU and NATO has and can take actions against Russian malicious cyber activity, the regional politics of Southeast Asian countries is different and their inclination to be overtly more combative with regards to China might not be expressed publicly nor in the same way or domain when thinking about responses.

The use of ‘full’ public attribution (naming the state) depends on what kinds of signals, effects and risks they are willing to take. Consistent public attribution as done by countries such as the UK, US, Australia and others can help showcase domestically proactiveness and transparency as well as demarcate unacceptable behaviour internationally, but might have less of an impact on deterring malicious activities (only promoting a change in tactics from the adversary). Conversely, sporadic attribution might have a stronger signalling impact but not as transparent to the domestic audience nor a consistent approach.

What is Special About this Case then?

First, it shows how Chinese state-affiliated actors might use neighbours as a testing ground for further cyber operations. Singapore has been repeatedly targeted by Chinese-linked APTs, including the group Volt Typhoon, which breached Singtel in 2024. Reports suggest the Singtel intrusion may have been a precursor to broader campaigns against US telecoms. Presumably, the Chinese strategy of testing their cyber capabilities might be successful in terms of tools and techniques in preparation for a larger or more persistent cyber campaign elsewhere. But this strategy could backfire. A shared threat between US and Singapore could provide further opportunity for cooperation in cybersecurity.

Second, it indicates how the concern with cyber prepositioning is not only linked to the US and other Western governments. While UNC3886 remains unclassified and associated with cyber espionage campaigns, the Minister’s quote at the start of this piece reflects this concern: ‘If [the actor] succeeds, it can conduct espionage, and it can cause major disruption to Singapore and Singaporeans.’ In other words, it is not just about spying. It is about using malicious code to gain access to a network or system in ways that blur the line between espionage and disruption – whether the access will be used for data-exfiltration (cyber espionage) or a weaponised as a precursor to a cyber-attack.

Third, Singapore’s foreign policy approach shows how hedging applies to calibrating responses to cyber incidents. Crucially, this attribution doesn’t signal a wholesale shift in Singapore’s foreign policy posture. The country has long been a master of hedging - balancing deepening security and economic ties with the US and its allies, while maintaining strong relations with China. Cyber is no exception. Even in this public attribution, that balancing act is visible. Any full public attribution could presumably be met with more cyber activity from China as well as hold the potential for quiet retaliation in other areas such as economic cooperation. This calibration is clear when Mr. Shanmugam was asked about the attribution to UNC3886 being linked to China the day after his CSA 10th anniversary speech: ‘As far as the Singapore Government is concerned, we can say we are confident that it is this particular organisation. Who they are linked to, and how they operate, is not something I want to go into.’

Fourth, ‘naming without (fully) naming’ can be a powerful tool for small states. This case shows that attributing an incident to a state might not be the goal, it might not even be a consideration because, in that cultural and regional context, getting as close as Singapore did might already be a strong signal on its own. Also, the choice of which threat actor to name is also telling. Rather than calling out Volt Typhoon last year, Singapore decided to send the message by referring to an unclassified cluster, not an official designation directly linking it to a specific Chinese government agency (for example, the Ministry of State Security) – a carefully crafted move. But Singapore is not the only one: ‘naming without fully naming’ approach has also been carried by other states such as Switzerland after pro-Russian hacker group NoName had targeted their government websites in advance of Zelensky’s online address to the Swiss parliament in 2023.

Reading the Signals

That ambiguity is not evasion. It is a strategy. While Western countries may be eager to see Singapore join multilateral attributions or more openly align itself with cyber deterrence efforts, the reality is more complex. Attribution here is not solely about norm-building (for example, signalling/stressing what is unacceptable behaviour) through naming. It is about managing risk – strategically, surgically, and on Singapore’s own terms.

Still, this moment matters. Singapore is testing its public attribution posture. It is experimenting with the language, the timing, and the format through which it sends signals – without committing to a new posture. That experiment, and the reaction it generates, will help shape how the country approaches future cyber incidents. This was a calibrated signal to multiple audiences: to domestic constituents concerned about cyber risk; to international partners watching how Singapore positions itself; and, subtly, to the threat actors themselves.

This speech should not be read as a radical shift. But neither should it be downplayed. It offers insight into how small, digitally-advanced states are navigating cyber attribution on their own term – calibrating public messages while preserving diplomatic space. It also offers lessons to Global South countries facing similar pressures: there is more than one way to do attribution.

© RUSI, 2025.

The views expressed in this Commentary are the author's, and do not represent those of RUSI or any other institution.

For terms of use, see Website Terms and Conditions of Use.

Have an idea for a Commentary you'd like to write for us? Send a short pitch to commentaries@rusi.org and we'll get back to you if it fits into our research interests. View full guidelines for contributors.