• 07 August, 2025
• No Comments

Inside Singapore’s 2025 Response to APTs: Readiness, Reporting, and Risk

In the digital age, few issues are as pressing as the rise of advanced persistent threats (APTs). Unlike common cyberattacks, APTs involve sophisticated, state-linked actors that infiltrate networks and lie undetected for extended periods, with the intention to steal, disrupt, or sabotage.

For Singapore, a global hub for finance, trade, and critical infrastructure, the stakes could not be higher. On 1 August 2025, Coordinating Minister for National Security K. Shanmugam called for mandatory reporting of suspected APT attacks by critical information infrastructure (CII) operators. His message was clear: early disclosure can make the difference between containment and catastrophe.

Speaking at the biennial Exercise Cyber Star, Singapore’s largest cybersecurity simulation to date, Mr Shanmugam stressed the importance of proactive collaboration between government agencies and private sector operators. “Accept that [breaches will happen], and be prepared to defend,” he said. This mindset reflects a sobering reality. Cyber threats are not a possibility but a certainty. In the case of APTs, delayed detection often results in widespread compromise. By mandating the reporting of suspected attacks, Singapore hopes to build a cohesive national defence framework that can respond quickly and decisively to evolving threats.

The growing frequency and sophistication of APTs

The announcement came weeks after Singapore revealed that its CII had been targeted by UNC3886, a known APT group believed to be linked to China. According to cybersecurity experts, including Mandiant, UNC3886 has a history of exploiting vulnerabilities in virtual infrastructure, making it especially dangerous for cloud-reliant systems. From 2021 to 2024, the number of APT activities targeting Singapore’s CII rose more than fourfold. This alarming increase underscores how geopolitical tensions are spilling into cyberspace, with critical services, like energy, healthcare, and transportation, becoming prime targets.

Unlike opportunistic ransomware or defacement attacks, APTs are calculated and quiet. The attacker often gains access, establishes persistence, and waits for the right time to strike. This long game makes APTs uniquely dangerous. Past examples in Singapore illustrate this point vividly. In 2018, the SingHealth breach resulted in the theft of personal data from 1.5 million patients. The attackers are believed to have remained undetected in the network for nine months before executing their exfiltration. That breach, widely considered Singapore’s worst, exposed not just data, but vulnerabilities in detection and coordination.

The role of legislation in defending critical infrastructure

To meet this rising threat, Singapore has amended its Cybersecurity Act to require mandatory reporting of cybersecurity outages and APT attacks. These changes, expected to take effect by the end of 2025, mark a significant shift in policy. Operators of CII are now expected to report incidents that affect not just their internal networks, but also third-party services, including cloud providers and vendors. This extended scope acknowledges the reality that cyber threats often exploit the weakest link in a supply chain.

Minister Shanmugam did not name a specific nation responsible for the UNC3886 incident, stating that it was not in Singapore’s public interest to do so at this time. However, his decision to name the group itself signals a firm stance. It sends a message to both attackers and defenders: the Singapore government takes attribution seriously, and transparency in threat intelligence is crucial for national defence.

The updated legislation aligns with global best practices. Countries like the United States and the United Kingdom have also introduced mandatory breach notification laws in recent years. The idea is simple but powerful, ensuring that cybersecurity is treated as a shared responsibility between the public and private sectors.

Real-world preparedness through cyber exercises

Exercise Cyber Star 2025 was more than symbolic. It served as a hands-on stress test for Singapore’s cyber resilience. Nearly 500 participants from across 11 CII sectors, ranging from energy and banking to healthcare and transport, engaged in realistic attack simulations. These drills tested their technical readiness, incident response coordination, and ability to contain spillover effects on society.

In one scenario, participants had to deal with an APT actor targeting subway systems. The simulation raised difficult questions: how do you keep millions of commuters safe when a digital system shuts down? What does coordination look like between private sector operators and government agencies during a digital emergency? These are not hypothetical concerns. With digital interconnectivity now underpinning essential services, cyber risk is directly linked to public safety and national security.

Minister Shanmugam emphasised the importance of putting a face to a name. Cybersecurity, while highly technical, is also human. Building trust and familiarity across sectors and agencies fosters quicker, more confident responses when a real incident strikes. This is especially important in a region like Southeast Asia, where cyberattack attribution is often murky, and response timelines can mean the difference between disruption and disaster.

Cultural change: From secrecy to transparency

Perhaps the most important shift in Singapore’s strategy is cultural. In many organisations, cyber incidents are still kept under wraps, driven by fears of reputational harm or regulatory scrutiny. But as Mr Shanmugam rightly pointed out, such silence benefits no one, except the attacker. Transparency does not equate to weakness. On the contrary, it is a sign of maturity and operational confidence.

By encouraging early reporting, the government is not simply asking for data; it is offering support. The Cyber Security Agency of Singapore (CSA) works closely with affected organisations to identify, contain, and mitigate threats. With mandatory reporting laws in place, the emphasis will now shift to building trust, ensuring that companies feel safe coming forward without fear of backlash. This is crucial for sectors like finance and healthcare, where public confidence is tightly interwoven with security perception.

Partnering with data protection specialists: The role of Privacy Ninja

As the threat landscape evolves, so too must the support systems available to organisations. Privacy Ninja plays a vital role in this ecosystem. By offering services such as Vulnerability Assessment and Penetration Testing (VAPT), Data Breach Management, DPO-as-a-Service, and Smart Contract Audits, Privacy Ninja empowers businesses to identify and address weaknesses before attackers can exploit them.

In the context of Singapore’s new reporting mandates and heightened APT risks, working with a trusted cybersecurity partner is no longer optional. Privacy Ninja provides not just technical assessments but also strategic guidance aligned with the Personal Data Protection Act (PDPA) and Cybersecurity Act. Whether you operate in healthcare, finance, utilities, or digital services, having a qualified team to simulate attacks, test defences, and advise on incident response can be the difference between recovery and collapse.