Mr Teo Chee Hean,
Senior Advisor, PMO
Mrs Josephine Teo,
Minister for Digital Development and Information,
and Minister-in-charge of Cybersecurity and Smart Nation
Mr Tan Kiat How,
Senior Minister of State, MDDI
Mr David Koh, Commissioner of Cybersecurity
and Chief Executive of the Cyber Security Agency of Singapore (CSA),
Distinguished Guests, Ladies and Gentlemen,
1. Very good evening to all of you.
2. We are here to celebrate the Cyber Security Agency’s (CSA) 10th Anniversary. In the last 10 years, CSA has made significant progress.
CSA’s Formation
3. 10 years ago, Singapore was just starting on its Smart Nation journey. We were exploring how digital technology can transform our economy and our way of life.
4. We knew then – we already had then, various malicious actors, cyber criminals, and they were exploiting cyberspace. There were state-linked actors who were conducting attacks against a wide array of targets, including critical information infrastructure (or CII); and data breaches, website defacement by hacktivist groups.
5. Some of you will remember the cyber attacks by the hacktivist group called Anonymous. They defaced several government websites.
6. It was clear that we needed to go digital. But we also needed to do so in a manner that was safe and secure.
7. So, we set up CSA. It was, and is, a dedicated national authority, with centralised oversight of Singapore’s cybersecurity.
8. CSA was placed under the Prime Minister’s Office.
9. That reflected the national importance of cybersecurity, and that gave CSA a clear mandate to drive policy, and to coordinate efforts both in peacetime and during a crisis.
10. CSA was managed by MDDI, because it would need to work with the digital industry, and MDDI engages the digital industry.
11. Officers from security agencies including MINDEF and MHA were seconded to CSA. Many are here today, including founding and continuing Chief Executive David Koh.
12. 10 years on, CSA has grown from its founding group of about 70 officers; today, to almost 500 officers. It has developed crucial partnerships both domestically and internationally; and it has significantly raised the cybersecurity posture of Singapore.
13. I think we can say: well done to CSA, its management, and its officers; and I think they deserve a round of applause.
A More Dangerous World
14. The world today, if anything, has even more dangers in cyberspace, compared to 10 years ago.
15. Malicious cyber actors are using new technologies. Cyber criminals are using AI to generate phishing emails and develop malware.
16. It is no longer enough to only guard our most critical systems. Potential targets have increased. They include external vendors, suppliers, service providers along the entire supply chain. Even residential devices, like home routers, IP cameras, are now being exploited by cyber attackers.
17. And that is in parallel with the tensions which are rising around the world. Conflicts in the physical domain today are always accompanied by attacks in the digital domain. Both state and non-state actors have launched several attacks on critical infrastructure.
Malicious Cyber Activity in Singapore
18. Singapore has not been spared. We have been and we continue to be attacked by cyber threat actors.
19. A survey showed that nearly 80% of organisations have experienced some form of cyber attack. And most of these are by cyber criminals at relatively low level. For example, earlier this year, Toppan Next Tech experienced a ransomware attack. Customer information from financial institutions was extracted.
20. ‘Hacktivists’ and foreign actors have also used cyber to promote their agendas. Agendas – both political and ideological agendas.
21. In October last year, the Government blocked 10 inauthentic websites. These had been set up by foreign actors and they were masquerading as Singapore websites. And the websites, in our assessment, had the potential to be used for Hostile Information Campaigns against us and our interests.
Advanced Persistent Threats
22. But moving on, tonight, I would like to speak about a very serious matter, a particular category of cyber threats.
23. They are known as Advanced Persistent Threats, or APTs.
24. APTs are highly sophisticated and well-resourced actors.
25. They typically act on State objectives. They steal sensitive information, they disrupt essential services.
26. APT groups have been identified from Sandworm, “Typhoons” cluster.
27. They attack critical infrastructure like healthcare, telcos, water, transport, power.
28. If you look at the example of Ukraine, cyber attacks were launched and caused a power outage. And the cyber attacks coincided with massive missile strikes.
29. In April 2025, this year, there was a cyber attack on SK Telecom. SK Telecom is a major South Korean telecommunications company. The attack exposed the SIM data of nearly 27 million users. It caused widespread concern across SouthKorea.
30. Singapore has been attacked as well. We are a relevant country geopolitically. We are a digital and data hub that connects the world. People want to get into our systems, to both influence us and threaten us.
31. There have been several attacks. We don’t make all of them public for National Security Reasons.
32. I will refer to some of these attacks, to give a sense of the threat.
33. More than 10 years ago in 2014, an attacker likely linked to a foreign Government gained access into MFA’s IT systems. The attacker tried to steal sensitive information.
34. In 2017, an APT likely linked to a foreign Government breached the IT networks of NUS and NTU. The objective was probably to steal information related to Government and research.
35. In 2018, attackers likely linked to a foreign Government infiltrated SingHealth’s system andstole more than 1.5 million patient records.
36. Last year, attackers likely linked to foreign Government infected over 2,700 Singapore devices, such as baby monitors and routers.
37. These devices formed part of a global botnet. It comprised hundreds of thousands of everyday devices.
38. This botnet could have been used to disrupt critical services.
39. And we do have to recognise that, of course, these sorts of activities are not confined to the digital sphere. We have also been consistently targeted in the physical world since our independence, and even before independence. In simple language: our people are targeted, recruited, to work for foreign Governments. There are also constant attempts to influence Singaporeans in a variety of ways. Some will recall, in 2017, we identified an “agent of influence” of a foreign country, and his permanent residence (PR) status was revoked.
40. Now I have shared a very small number of examples of the cyber attacks, attempts to influence, that we have been dealing with.
41. There are several more that we have not disclosed publicly for national security reasons, as I have said.
42. What I can say is that the number of APT attacks has been increasing. In four years, from 2021 to 2024, suspected APT attacks on Singapore increased more than four-fold.
43. I listed some of the APT incidents in Singapore, in an Annex to my speech.
44. One of the APT groups conducting such attacks is UNC3886.
45. The “UNC” label stands for “uncategorised” or “unclassified”.
46. It simply means that industry analysts have not formally classified it but
47. that does not mean it is any less of a threat.
48. The industry has identified UNC3886 as a highly sophisticated threat actor. It deploys advanced tools to compromise systems.
49. It is also able to evade detection and maintain persistent access in victim networks.
50. Industry has associated UNC3886 with cyber attacks against critical areas, such as defence, telcos, and technology organisations in the United States and in Asia.
51. The intent of this threat actor in attacking Singapore is quite clear. They are going after high value, strategic targets. Vital infrastructure that delivers our essential services. If it succeeds, it can conduct espionage, and it can cause major disruption to Singapore and Singaporeans.
52. UNC3886 poses a serious threat to us, and has the potential to undermine our national security.
53. Even as we speak, UNC3886 is attacking our Critical Infrastructure, right now.
54. CSA and relevant agencies are actively dealing with the attack and they are working with the relevant CII owners.
55. It is not in our security interests to disclose further details of this attack at this point in time. But I can say that it is serious and it is ongoing. And it has been identified to be UNC3886.
56. We will assess whether it is in our interest to disclose more details, later. I also have in an Annex to the speech, set out more details on UNC3886.
A Serious Threat to our National Security
57. The takeaway for all of us is that Singapore has been, and Singapore continues to be, under attack by APTs and foreign actors.
58. They seriously threaten our national security.
59. Let me explain with an illustration.
60. Say there is a cyber attack on our power system. This can disrupt our electricity supply. The knock-on implications: other essential services, like water supply, transport, medical services – in fact, everything that depends on power, everything will all be affected.
61. There are also economic implications. Our banks, airport, and industries would not be able to operate. Our economy can be substantially affected.
62. Not just power systems. Attacks to our telco systems and payment systems can have very serious consequences.
63. Attacks on our systems and infrastructure will then impact on how we do business.
64. Who will be our vendors, what will be our supply chains. All that will have to be relooked at. And if we decide that we cannot trust them, we may choose not to use them.
65. And at the same time, trust and confidence in Singapore as a whole, can also be affected. Businesses may shy away if they are unsure about our systems – whether the systems are clean, resilient, safe.
Cyber Defence: A Vigilant and Unified Response
66. We will act in Singapore’s interests and defend Singapore’s cyberspace.
67. I earlier shared about a global botnet.
68. Upon discovery, Singapore participated in a global operation to disrupt it. This is just one example. There are many others.
69. But we have to be realistic as well. We are up against very sophisticated actors – some backed by countries, countries with vast - unlimited almost - resources, and resources both in manpower and in technology.
70. They can deploy resources at a formidable scale.
71. Even countries at the frontier of technology have not been able to prevent APT attacks on their systems.
72. So realistically, we have to accept that some attacks at least, will get through.
73. And in the face of such threats, we have to continue to strengthen Singapore’s cyber defences, focus on not just preventing the attack, but preventing successful attacks, but also contain the threat, when the attackers penetrate the system.
74. CSA and other security agencies have been coordinated and united in national cyber defence.
75. They are on constant alert, working hard together to detect and contain cyber threats, and defend our systems.
76. CSA will continue to work with partners like CII owners to strengthen the protection of our Critical Infrastructure.
77. We will also continue to look at improving our crisis response capabilities and readiness. Cybersecurity exercises, like Exercise Cyber Star, help. We will also update our Cybersecurity Act to give more powers to deal with the threats.
78. Beyond owners of CII, CSA will continue to build up our digital ecosystem, and help companies raise their cybersecurity posture.
79. And on the international stage, Singapore will continue to do our part to preserve a secure and rules-based cyberspace.
80. We recently concluded our chairing of the 2nd UN Open-Ended Working Group on Security of and in the use of ICTs.
81. The Singapore International Cyber Week (SICW), is also an important platform for governments and industry players from around the world to come together, have important conversations, and deepen partnerships on cybersecurity.
Conclusion
82. Let me end by saying, I have tried to give a sense of the cyber threats facing Singapore.
83. The road ahead will be challenging. We have to stay agile, adapt to the emerging threats. We need collective will and commitment to try and do our best to secure our cyberspace; and from CSA’s perspective, these are not just broad statements, but the 10 year track record shows that that commitment will be translated into reality.
84. Once again, congratulations to CSA on your 10th Anniversary. I wish you every success in the years to come.
