The Chinese threat actor tracked as UNC3886 breached Singapore’s four largest telecommunication service providers, Singtel, StarHub, M1, and Simba, at least once last year.
The hackers also gained limited access to critical systems but did not pivot deep enough to disrupt services.
In response to the intrusions, which were disclosed in July 2025, Singapore deployed ‘Operation Cyber Guardian’ to limit the adversary's activity on the telco's networks, but very few details were shared at the time.
"Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore’s telecommunications sector," Singapore's Cyber Security Agency (CSA) states.
According to the latest update, the attackers used a zero-day exploit to bypass a telecom's perimeter firewalls and steal technical data to further their objectives.
The agency discovered in another intrusion that UNC3886 relied on rootkits to remain stealthy while maintaining persistence for an undisclosed period.
Although compromise was confirmed across all four major operators, Singapore’s authorities say they did not find any evidence that sensitive customer data was accessed or stolen, and no services were disrupted at any point.
The CSA and Infocomm Media Development Authority (IMDA) received reports about the suspicious activity from the telcos and engaged over a hundred investigators from across six government agencies.
The authorities claim that an immediate response contained the compromise, closed access points, and expanded monitoring to other critical infrastructure, blocking a potential pivoting to banking, transport, and healthcare sector organizations.
“So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere,” stated the country’s Minister for Digital Development and Information, Josephine Teo, earlier today at an official engagement event.
... continue reading