Revisiting UNC3886 Tactics to Defend Against Present Risk

On July 18, Singapore’s Coordinating Minister for National Security K. Shanmugam revealed that the country was facing a highly sophisticated threat actor targeting critical infrastructure—UNC3886. First reported in 2022, this advanced persistent threat (APT) group has been targeting essential services in Singapore, posing a severe risk to their national security.

In this entry, we draw on observations and the tactics, techniques, and procedures (TTPs) from previously recorded UNC3886 attacks. Our aim is to get a good understanding of this threat group and enhance overall defensive posture against similar tactics.

An overview of UNC3886

UNC3886 is a cyber espionage group whose targets include the US, Europe, and Singapore, where it currently represents a significant threat. Known for its persistent attack methods, the group homes in on critical sectors such as government, telecommunications, technology, defense, energy, and utilities. While first reported in 2022, there have been evidence of its activity dating back to late 2021.

The Cyber Security Agency (CSA) of Singapore has been actively investigating UNC3886’s activities and monitoring all critical service sectors. The group’s activities have been detected in parts of Singapore’s critical information infrastructure that power essential services, highlighting the severe threat they pose to national security. Although the specific sectors affected have not been disclosed, the agency has emphasized the need to preserve operational security by not disclosing further information at this stage.

Tactics, Techniques and Procedures

UNC3886 operates using advanced techniques and primarily targets network devices, virtualization systems (e.g. VMware vCenter/ESXi, Fortinet FortiOS, and Juniper Junos OS), and critical information infrastructure. The group is also known for using zero-day exploits and deploying custom open-source malware specifically developed to evade detection and maintain persistence within the target networks. Additionally, UNC3886 leverages tools already present on the victim’s system to further evade detection.

Even when detected and removed, the group is persistent and often attempts re-entry into the network. The group’s attack chain involves several advanced techniques including:

• Exploiting public-facing applications for initial access (T1190)
• Using valid accounts for persistence (T1078)
• Employing remote access tools (T1219) and application layer protocols (T1071) for command and control.

This combination of advanced and persistent techniques with strategic targets makes UNC3886 a group that warrants heightened vigilance. Its past activities offer insight into the group’s capabilities, tools, as well as effective defenses that could derail their operation.

We take a closer look at the techniques, vulnerabilities, and other tactics UNC3886 have used in the past to get an idea of what could still be their current operations.

Read More HERE