Chinese cyberspies breach Singapore’s four largest telcos

The Chinese threat actor tracked as UNC3886 breached Singapore’s four largest telecommunication service providers, Singtel, StarHub, M1, and Simba, at least once last year.

The hackers also gained limited access to critical systems but did not pivot deep enough to disrupt services.

In response to the intrusions, which were disclosed in July 2025, Singapore deployed ‘Operation Cyber Guardian’ to limit the adversary’s activity on the telco’s networks, but very few details were shared at the time.

“Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore’s telecommunications sector,” Singapore’s Cyber Security Agency (CSA) states.

According to the latest update, the attackers used a zero-day exploit to bypass a telecom’s perimeter firewalls and steal technical data to further their objectives.

The agency discovered in another intrusion that UNC3886 relied on rootkits to remain stealthy while maintaining persistence for an undisclosed period.

Although compromise was confirmed across all four major operators, Singapore’s authorities say they did not find any evidence that sensitive customer data was accessed or stolen, and no services were disrupted at any point.

The CSA and Infocomm Media Development Authority (IMDA) received reports about the suspicious activity from the telcos and engaged over a hundred investigators from across six government agencies.

The authorities claim that an immediate response contained the compromise, closed access points, and expanded monitoring to other critical infrastructure, blocking a potential pivoting to banking, transport, and healthcare sector organizations.

“So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere,” stated the country’s Minister for Digital Development and Information, Josephine Teo, earlier today at an official engagement event.

“This is not a reason to celebrate, rather it is to remind ourselves that the work of cyber defenders matters,” the Minister said.

In late 2024, it was disclosed that China-aligned state hackers known as Salt Typhoon had breached multiple U.S. broadband providers, accessing information from these firms’ legal network wiretapping systems.

In mid 2025, the Canadian government also disclosed an intrusion by the same threat group, exploiting a Cisco IOS XE flaw to breach telecommunications firms.

UNC3886 has been tracked by Mandiant researchers since 2023, targeting government, telecommunication, and technology firms by exploiting zero-day flaws in FortiGate firewalls (CVE-2022-41328), VMware ESXi (CVE-2023-20867), and VMware vCenter Server endpoints (CVE-2023-34048). 

In the case of Singapore, the authorities did not share what zero-day vulnerability was exploited or which product/vendor it affected.

The future of IT infrastructure is here

Modern IT infrastructure moves faster than manual workflows can handle.

In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.

Get the guide