Singapore’s four major telecom operators—Singtel, StarHub, M1, and Simba Telecom—were targeted by the cyber espionage group UNC3886 last year, the city-state’s Cyber Security Agency (CSA) revealed on Monday.
According to the agency, while the attackers managed to infiltrate parts of the telecom systems, they were unable to disrupt services or access any personal data.
Cybersecurity firm Mandiant, owned by Google, has identified UNC3886 as a “China-nexus espionage group” that has previously targeted defence, technology, and telecommunications organizations across the United States and Asia. Beijing routinely denies any involvement in cyber espionage, asserting that it opposes all forms of cyberattacks and considers itself a victim of such threats. The Chinese Embassy in Singapore did not respond immediately to requests for comment.
Monday’s statement marks the first time Singapore’s government has disclosed the specific type of infrastructure targeted by UNC3886. Last July, authorities reported that the group had been attempting to access high-value strategic assets.
In a joint statement, the four telcos highlighted that all telecom operators face an array of cyber threats, including Distributed Denial-of-Service (DDoS) attacks, malware, phishing, and other sophisticated advanced persistent threats. “We adopt defence-in-depth mechanisms to protect our networks and conduct prompt remediation when any issues are detected,” they said, adding that they collaborate closely with government agencies and industry experts to enhance security and resilience.
The attackers exploited a zero-day vulnerability in firewall settings—comparable to breaking an unknown door—and deployed rootkits and Medusa malware to steal credentials while remaining undetected. They gathered limited technical network information to map operations, but countermeasures by Singapore successfully isolated them from the 5G core network and other critical systems.
The CSA noted that the tactics employed mirror UNC3886’s global operations, including the 2025 Salt Typhoon campaign affecting U.S. telecoms and the 2022 breach of 27 million SIM cards at SK Telecom in South Korea.
Since March 2025, Singapore’s Cyber Guardian initiative has been operational, bringing together more than a hundred experts from six agencies, including CSA, IMDA, and GovTech, making it the country’s largest cyber security operation to date.
Telecom operators reported detecting suspicious activity early, triggering coordinated “purple team” drills, network redesign, and strengthened defenses. They reiterated that all telcos are inherently vulnerable to persistent and advanced cyber threats but emphasized that ongoing collaboration with government bodies and industry partners enhances overall resilience.
Analysts warn that state-supported adversaries could continue targeting Singapore, underlining the importance of vigilance. The operators’ resilience strategy includes the deployment of AI-driven defensive systems, mandatory reporting of advanced persistent threats, and measures to mitigate financial and operational ripple effects. The current cycle of the digital arms race reinforces the need for continuous monitoring and proactive security measures to maintain Singapore’s reputation as a secure digital hub in the region.
