In July 2025, Singapore took the unusual step of publicly warning that an advanced persistent threat (APT) group, UNC3886, was actively targeting the country’s critical infrastructure. Officials noted suspected APT activity as a whole had increased fourfold between 2021 and 2024, and that UNC3886 had been present in systems “for some time”. For defenders across the region observing closely, a related message is clear: the battleground is shifting to the edges and control planes of our networks – and the attackers are already there.
UNC3886: an APT worth studying
Tracked since 2022 by threat-intelligence teams, UNC3886 is widely assessed as a state-sponsored espionage actor with objectives typical of long-dwell operations: collecting of sensitive data, establishing durable footholds for surveillance, and positioning themselves to disrupt when needed. Their campaigns have focused on high-value, critical infrastructure sectors – telecommunications, energy, water, finance, healthcare, government, and transport – across Asia and the US.
Tactically, the group has shown a consistent game plan:
- Initial access via the edge and virtualisation-appliance layer. Exploiting 0-days and high-impact N-days in managed network devices (e.g., Fortinet and Juniper firewalls/routers) and standalone virtualisation platforms (viz., ESXi/vCenter) for initial access.
The exploited CVEs include:- CVE-2022-42475: heap-based buffer overflow vulnerability in FortiOS SSL-VPN
- CVE-2022-41328: path-traversal vulnerability in Fortinet FortiOS
- CVE-2023-34048: out-of-bounds write vulnerability in vCenter Server
- Stealthy persistence. Using various active and passive backdoors, including customised versions of TinyShell, and, in some cases, open-source rootkits (Reptile and Medusa) to evade detection and maintain reliable, low-noise access. Tampering with device logs to reduce forensic footprint.
- Credential harvesting and lateral movement. Focusing on central management servers and movement along the Fortinet, Juniper, and VMware management planes where telemetry is sparse and privileges are concentrated.
Other APT groups such as Volt Typhoon and APT41 have also leaned into this vulnerable ecosystem of “appliance-class” devices because it affords leverage with minimal visibility to defenders.
Specialised infrastructure devices: UNC3886’s soft target
UNC3886’s activity highlights weaknesses in what we’ll call specialised infrastructure devices (SIDs) – appliance-class systems like managed network appliances (firewalls, routers, VPNs), standalone hypervisors and virtualisation controllers (ESXi/vCenter), and enterprise/industrial IoT. These platforms commonly run custom or minimised operating environments and live either at the network perimeter or on sensitive control/management planes.
Several structural factors make SIDs appealing to APTs:
- Limited agent support
Most Endpoint Detection and Response (EDR) tools are engineered for Windows and general-purpose Linux. On the other hand, many SIDs run a stripped-down embedded Linux, or a custom real-time OS. Typically only a minimal execution environment is available, and common APIs are missing. This often means no process-level telemetry, no system call monitoring, and limited file/registry auditing, making it hard to implement functional EDR agents for such devices without help from their vendors, which might not be forthcoming.
- “Black box” operational models
Designed to be simple, centrally-managed appliances, SIDs are optimised for reliability and deterministic performance. Logging is present, but depth and retention are constrained. The lack of historical context can hamper forensics and incident response.
- Patch friction
Patching can risk downtime or device failure (“bricking”), so change windows are narrow and infrequent. Long-lived deployments, end-of-life hardware, and vendor scheduling further slow remediation. This creates extended windows of vulnerability for 0-/N-day exploitation.
- Exposure and leverage
SIDs are frequently Internet-facing or reachable from management networks. Web UIs and admin consoles, if misconfigured or unprotected by strong authentication, become high-value entry points. Once inside, attackers gain outsized reach into traffic flows and orchestration layers, and can abuse remote services (e.g., SSH) for lateral movement using valid credentials.
The combination of low visibility and high leverage in SIDs provides APTs like UNC3886 a good place to position themselves for the launch of more disruptive phases of their operations.
Denying UNC3886 their footholds
Because SIDs are ubiquitous and strategically placed, it’s essential to monitor them – even when they can’t run agents. A practical approach blends network-centric analytics with agentless compute-layer visibility for virtualised appliances, plus disciplined hygiene.
1. Network-centric monitoring
Network Detection and Response (NDR) solutions should be used to instrument Layer 7 (the application layer) where feasible. Profiles of the behaviours of each appliance class can be made, with detection systems set to alert on deviations in destination, volume and timing. Particular attention should be paid to outbound SSH from appliances, especially on non-standard ports, and to SSH sessions originating outside approved admin subnets. Sudden increases in data volume from ESXi/vCenter management IPs, or network appliance control interfaces can indicate staging or exfiltration.
2. Agentless visibility for virtualised SIDs via VMI
Many SIDs can run as virtualised appliances. For these, Virtual Machine Introspection (VMI) can be used to observe guest state from the hypervisor, giving EDR-like signals (process/memory behaviours, execution anomalies) without touching the guest OS.
3. Hygiene, hardening, and lifecycle management
SIDs should be inventoried and classified, and their software versions, network exposure and management interfaces tracked. End-of-life and end-of-service devices should be flagged for replacement. Admin access should be hardened, with the enforcement of strong MFA, restriction of management access to dedicated subnets, and application of per-device allowlists.
Conclusion: what Singapore’s signal tells defenders
Singapore’s decision to name UNC3886 not only highlights the continuing risk posed by APTs, but also their increasing tendency – exemplified by UNC3886 – to leverage vulnerability-prone and relatively unmonitored SIDs at the network edge in their operations. For organisations, this means traditional endpoint-focused defences leave gaps that threat actors can exploit for long-term espionage or disruption. Closing these gaps requires visibility strategies suitable for SIDs, particularly in virtualised environments where agentless monitoring is possible.
