PUBLISHED ONFebruary 09, 2026 4:30 AMUPDATEDFebruary 09, 2026 11:24 AMBYLim KeweiSingapore's four major telecom operators — Singtel, StarHub, M1, and Simba — are under threat from cyber espionage group UNC3886.
The foreign actor targeted the telecommunications sector in 2025 but did not succeed in stealing any personal or sensitive customer data, said the Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) in a statement on Monday (Feb 9).
"At stake was not just sensitive data," said Josephine Teo, Minister for Digital Development and Information and Minister-in-charge of Cybersecurity and Smart Nation Group, at an engagement event to recognise cyber defenders on Monday.
"The consequences could have been more severe. If the attack went far enough, it could have allowed the attacker to one day cut off telecoms or internet services."
UNC3886 was publicly identified as the advanced persistent threat (APT) group conducting a "serious" and ongoing attack on Singapore's critical infrastructures by Coordinating Minister for National Security K Shanmugam in July 2025.
APT groups are cyber threat actors, usually state-linked, that covertly intrude and hide in networks over a long period of time to spy and collect valuable data or disrupt systems and processes.
UNC3886 is reportedly a China-linked cyber espionage group, and was first detected in 2022 by cyber-security firm Mandiant.
In a Facebook post last July, the Chinese embassy in Singapore expressed its "strong dissatisfaction" at claims linking the country to UNC3886, and "opposes any groundless smears and accusations against China".
"In fact, China is a major victim of cyberattacks," it wrote.
In her speech, Teo noted that the infiltration of UNC3886 into Singapore's telco networks was "a deliberate, targeted, and well-planned campaign".
The alarm had been raised by the telco operators in March 2025 after they flagged suspicious activity in their networks.
Responding to the report, the CSA and IMDA confirmed the presence of UNC3886 in the networks.
Operation Cyber Guardian — a collective cybersecurity effort involving over 100 cyber defenders from six government agencies and the four major telcos — was promptly launched to combat the threat.
CSA's Benedict Chong, a lead incident responder in the operation, said on Monday that his team processed the initial report as any other cyber incident, and realised the scale and high level of threat.
"We felt that there was a possibility that this would be one of the largest, if not the largest, cybersecurity incident that CSA has ever faced in its 10-year history," surmised Chong, who is assistant director for the agency's National Cyber Incident Response Centre.
Operation Cyber Guardian is Singapore's largest cybersecurity operation.
Clifton Soh, manager at IMDA's Threat Intelligence and Response division, told AsiaOne that the attack by the APT group required strong collaboration and clear communication between multiple stakeholders.
The scale and complexity of the operations posed a challenge, he added.
"This was the largest ops undertaken to date, with many people working across multiple, highly complex systems in our telecommunications networks, all of which had to be coordinated and communicated securely.
"I’m thankful for the partnership from telcos who were opened in facilitating the joint ops and threat hunt."
Investigators traced UNC3886's activities within the telco networks and established that the actor had obtained initial access by exploiting an unknown software vulnerability, known as zero-day.
The group avoided detection by using advanced techniques such as a rootkit, an advanced malware, to control the infected system.
It breached critical systems but "did not get far enough to have been able to disrupt services", said CSA and IMDA on Monday.
The authorities said there is no evidence that sensitive or personal data such as customer records were accessed or exfiltrated.
A "small amount of technical data" believed to be primarily network-related data was stolen by UNC3886, which used it to understand and advance within the networks.
Cyber defenders from CSA were able to quickly and accurately detect UNC3886's rootkit, and contained the threat by closing off unauthorised access points created by the group.
Having limited its activities, defenders enhanced and hardened the systems of telcos to detect and protect against new attempts to enter their networks.
Minister Teo stated in her speech on Monday that the sophisticated foreign threat actors "will not give up so easily".
"We must also be prepared that our other critical infrastructure, such as our power, water and transport systems may be targeted. After all, they are common targets in other countries.
"In short, the fight continues, and we must all do our part."
Critical infrastructure operators are at the "frontlines of the battle" and their actions, or inaction, is crucial in determining the outcome.
Teo urged operators to continue investing in upgrading systems and capabilities, calling on leaders to take cybersecurity seriously and provide close oversight to teams.
In a joint statement, Singtel, StarHub, M1 and Simba said telcos are now increasingly facing more sophisticated, advanced, and persistent threats.
"We adopt defence-in-depth mechanisms to protect our networks and conduct
prompt remediation when vulnerabilities are detected," they said, adding that protecting their critical infrastructure is a top priority.
"We will continue to keep pace with the evolving cyber threat landscape and update our measures accordingly."
[[nid:729172]]
lim.kewei@asiaone.com
