Straitstimes.com header logo

Suspected advanced persistent threat attacks must be reported under S’pore’s amended Cybersecurity Act

Sign up now: Get ST's newsletters delivered to your inbox

Mandatory reporting to Singapore’s cyber-security watchdog, Cyber Security Agency, is expected to take effect later in 2025.

Mandatory reporting to the Cyber Security Agency of Singapore is expected to take effect later in 2025.

PHOTO: LIANHE ZAOBAO

avatar-alt

Sarah Koh

Follow topic:

SINGAPORE - Operators of critical systems, such as those that manage Singapore’s energy, water and transportation services, will soon be required to report suspected advanced persistent threat (APT) attacks.

Mandatory reporting to the Republic’s cyber-security watchdog, the Cyber Security Agency of Singapore (CSA), is expected to take effect later in 2025, said Minister for Digital Development and Information Josephine Teo on July 29.

The new measure under the Cybersecurity Act comes after the revelation on July 18 of

serious threats from the cyber-espionage group UNC3886,

which experts said is linked to China.

It is one of several APT actors, whose activities have increased more than fourfold from 2021 to 2024, that target Singapore’s critical information infrastructure (CII).

“If organisations suspect that they have been targeted, they cannot and should not confront the attackers on their own,” said Mrs Teo at the fifth annual Operational Technology Cybersecurity Expert Panel forum organised by CSA.

“These requirements will support the early detection of APT activities, and enable CSA to take more timely actions – together with other government agencies – to defend CII owners against the attacks.”

APT actors are typically state-sponsored and are well-resourced. They use advanced tools to evade detection, lurk in high-value networks and spy over the long term to steal sensitive information or disrupt essential services.

Singapore’s 11 CII sectors are aviation, healthcare, land transport, maritime, media, security and emergency services, water, banking and finance, energy, infocomm and government.

Singapore’s 2018 Cybersecurity Act was amended in 2024 to expand CSA’s oversight to include risks that come from suppliers and cloud services. In particular, CII operators must declare any cyber-security outage, and any attack on their premises or along their supply chain.

The amended Act also requires temporary systems set up to support high-profile events, such as vaccine distribution and key international summits, to come under CSA’s supervision.

Until recently, Singapore had not publicly said much about APT activity, or named any of the groups involved. However, the mandatory reporting of APT attacks will soon be included as part of CSA’s expanded oversight.

“Why are we doing so for the first time?” said Mrs Teo.

“We want the public to know that these threats are not imagined, but real,” she said, adding that the potential consequences for Singapore’s economy and society are very serious.

She cited the losses that some countries suffered in recent years, such as 600 Ukrainian homes losing heating for two days during the winter in January 2024 after malware was used to exploit a zero-day vulnerability in internet-facing routers.

Separately, the hacking of a Norwegian dam’s systems in April caused seven million litres of water to be released. While the damage may have been limited in this instance, the hacking could have resulted in more dire consequences, such as flooding or disruptions to essential services, said Mrs Teo.

“The owners of CIIs – (you) must raise your vigilance, because you provide essential services that Singapore and Singaporeans depend on. The threats you face are no longer simple ransomware attacks. APTs have you in their sights,” said Mrs Teo.

More on this topic
What is UNC3886, the group that attacked Singapore’s critical information infrastructure?
S’pore vulnerabilities are no different from those of other nations: Commissioner of Cybersecurity

Singapore is in a heightened state of alert following the UNC3886 attack and increased APT activities.

The Government is actively working with CII owners to enhance the security of critical systems, said Mrs Teo. She added that CSA has brought together the chief executives of all CII owners for a classified briefing on Singapore’s threat landscape.

CSA will continue to work closely with local organisations and international partners to share actionable threat information, said the agency’s chief executive David Koh, in his speech at the forum.

The forum is another platform to prepare critical sectors through engagements with tech providers and experts.

On July 29, CSA signed a memorandum of collaboration with ST Engineering to jointly study and develop operational technology tools for the critical services sectors.

“A partnership approach will help to ensure a safe and resilient digital future for Singapore,” said Mrs Teo.

Sarah Koh is a journalist on the technology beat at The Straits Times. She takes an interest in the development of consumer tech and the impact of AI on society.

See more on

E-paper

Newsletters

Podcasts

RSS Feed

About Us

Terms & Conditions

Privacy Policy

Need help? Reach us here.

Advertise with us

Download the app

Get unlimited access to exclusive stories and incisive insights from the ST newsroom
Subscribe Placeholder
MDDI (P) 046/10/2025. Published by SPH Media Limited, Co. Regn. No.202120748H. Copyright © 2025 SPH Media Limited. All rights reserved.