China-linked group UNC3886 targeted Singapore ’s telecom sector in a cyber espionage campaign, Singapore’s Cyber Security Agency revealed.
Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) ran Operation CYBER GUARDIAN to protect the telecom sector. Since July 2025, investigations showed China-linked UNC3886 launched a targeted campaign against all four major telcos: M1, SIMBA Telecom, Singtel, and StarHub, aiming at critical infrastructure with deliberate and well-planned attacks.
UNC3886 is a sophisticated China-linked cyber espionage group that targets network devices and virtualization technologies using zero-day exploits. Its primary focus is on defense, technology, and telecommunications sectors in the US and Asia.
In 2023, the APT group targeted multiple government organizations using the Fortinet zero-day CVE-2022-41328 to deploy custom backdoors. UNC3886 prioritizes stealth by using passive backdoors and tampering with logs and forensic artifacts to ensure long-term persistence while evading detection.
“On 18 July 2025, Coordinating Minister for National Security Mr K Shanmugam shared that Advanced Persistent Threat (APT) actor UNC3886 had been detected attacking our critical infrastructure.” reads the report published by CSA. “Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore’s telecommunications sector. All four of Singapore’s major telecommunications operators (“telcos”) – M1, SIMBA Telecom, Singtel and StarHub – have been the target of attacks.”
UNC3886, a highly skilled APT group, targeted Singapore’s telcos using advanced methods over time. They exploited a zero-day to bypass a firewall and access networks, exfiltrating mainly network-related data. They also deployed rootkits to maintain persistent access, hide their activities, and evade detection, forcing cyber teams to perform thorough checks across all affected networks.
Singapore’s telcos spotted a breach by UNC3886 and promptly notified the IMDA and CSA. This started Operation CYBER GUARDIAN, Singapore’s biggest coordinated cyber response, lasting over 11 months.
“Under Operation CYBER GUARDIAN, the authorities worked closely with the telcos to limit UNC3886’s movement into the networks and ensure our systems remain safe to use. So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere.” continues the report. “The threat actor was able to gain unauthorised access into some parts of telco networks and systems. In one instance, they were able to gain limited access to critical systems but did not get far enough to have been able to disrupt services.”
More than 100 cyber experts from different agencies worked with the telcos to stop the attackers, limit their access, and secure systems. The attackers gained only partial access, without stealing data or disrupting services. Authorities fixed weaknesses, blocked access points, and increased monitoring. This teamwork between the government and telcos shows Singapore’s strong national cyber defence.
The fight isn’t over. Even though efforts so far have contained the attacks, future attempts to breach telco systems remain possible. Telcos are key targets, handling vast data and supporting the digital economy, making successful attacks a threat to national security and the economy.
The government takes this seriously. CSA and IMDA are working with telcos to strengthen defences, improve detection, and monitor for UNC3886. Telcos are conducting joint threat hunting, penetration testing, and capability upgrades. CSA will also roll out initiatives to boost skills across the cyber ecosystem for faster, stronger responses.
Minister Josephine Teo thanked cyber defenders for their work in Operation CYBER GUARDIAN and urged continued vigilance.
“Your actions, or inaction, can determine whether we succeed or fail in protecting our critical infrastructure, and our national security.” said Minister Josephine Teo. “I urge all of you to continue investing in upgrading your systems as well as your capabilities.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, China)
Source: SecurityAffairs
Source Link: https://securityaffairs.com/187792/apt/china-linked-apt-unc3886-targets-singapore-telcos.html