- Joined
- Aug 20, 2022
- Messages
- 26,297
- Points
- 113
S’pore’s four major telcos came under attack by cyber espionage group UNC3886
Published Feb 09, 2026, 12:30 PMUpdated Feb 09, 2026, 12:32 PM
Singtel, StarHub, M1 and Simba Telecom came under attack by a state-sponsored cyber espionage group UNC3886.
PHOTOS: ST FILE, GIN TAY
Lee Li Ying
SINGAPORE - All four major telcos in Singapore came under attack by a state-sponsored cyber espionage group UNC3886, whose activities to disrupt critical services in Singapore were first made public in July 2025.
Revealing for the first time on Feb 9 that Singtel, StarHub, M1 and Simba Telecom were the targets, Minister for Digital Development and Information Josephine Teo said: “Our investigations show that the attacks by UNC3886 were a deliberate, targeted and well-planned campaign against our telecommunications companies.”
Mrs Teo was speaking at an event honouring the efforts of cyber defenders against UNC3886 at the Cybersecurity Agency of Singapore (CSA)’s office in Punggol Digital District.
Investigations showed that the attackers were able to extract a small amount of technical data. While they had accessed a few critical systems, they did not get far enough to disrupt services, she said.
The Infocomm Media Development Authority (IMDA) and CSA said that the most sensitive and critical systems such as 5G networks were locked away separately, and were not compromised.
Even though no sensitive data was seen or exfiltrated, Mrs Teo said that the attacks cannot be taken lightly.
”First, they were more capable of accessing sensitive information for espionage. Second, they could deploy more tools to disrupt telecoms and internet services. Everything that requires a phone or internet connection would then be affected,” she said.
“The knock-on effects of their campaign could also have included other essential services like banking and finance, transport and medical services,” added Mrs Teo, who is also Minister-in-charge of Cybersecurity and Smart Nation in Singapore.
UNC3886 was first detected in 2022 by cybersecurity group Mandiant as a China-linked cyber espionage group. The Chinese Embassy here denied involvement in the Singapore attack and said China cracks down on all forms of cyber attacks in accordance with the law.
Damages caused by compromised telco infrastructure could be devastating.
Mrs Teo cited an example in Korea where the SIM data of nearly 27 million users were exposed after telco SK Telecom was attacked in April 2025.
Also in 2025, authorities in the United States reported that APT group Salt Typhoon had infiltrated a large number of US telecommunications providers and may have obtained sensitive military or law enforcement information.
Mrs Teo said that successful cyberattacks can affect trust and confidence in Singapore as an international financial and logistics centre. Multinational companies also choose to house their global headquarters here because of Singapore’s safe and reliable digital connectivity.
“Businesses may shy away from Singapore if they are unsure about our systems – whether the systems are clean, resilient, and safe,” said Mrs Teo.
Urging everyone to be vigilant, Mrs Teo underscored the importance of the work of cyber defenders and early communication.
Even though suspicious activities detected by the telcos in March 2025 did not reach the threshold required for sounding the alarm, they reported the anomalies to the CSA.
This allowed a multi-agency effort, code-named Operation Cyber Guardian, to be mounted for the first time.
It is Singapore’s largest coordinated cyber response to date, involving more than 100 cyber defenders across six government agencies. The agencies are: CSA, the Infocomm Media Development Authority, the Singapore Air Force’s Digital and Intelligence Service, Centre for Strategic Infocomm Technologies, Internal Security Department and GovTech.
“So far, our attackers have not been able to move deeper into our telco networks,” said Mrs Teo.
Investigations found that UNC3886 gained initial access through a zero-day vulnerability - a hidden flaw with no known fix - at the perimeter firewall, akin to “finding a new key no one else had found to unlock the doors,” she said.
Other defensive actions taken to protect the telco infrastructure include enhancing detection measures, and redesigning the network and hardening their systems to impede further attacks.
Purple teaming - where simulated attacks and defences take place to improve an organisation’s security - was done to validate that the remediation measures were working.
But Mrs Teo warned that despite best efforts, there is no guarantee against future, continuing attempts to gain access into Singapore’s critical infrastructure.
APTs are backed by countries with formidable resources in manpower and technology, and will not give up so easily. “In short, the fight continues, and we must all do our part,” said Mrs Teo.
She also called on critical infrastructure operators, many of which are private companies, to continue investing in upgrading their systems and capabilities. “You are at the frontlines of the battle against cyber threat actors. Your actions, or inaction, can determine whether we succeed or fail in protecting our critical infrastructure, and our national security,” said Mrs Teo.
In a joint statement, the four telcos said that all operators face cyber threats such as distributed denial of service attacks, malware, phishing, and now, increasingly sophisticated, advanced and persistent threats.
“We adopt defence-in-depth mechanisms to protect our networks and conduct prompt remediation when vulnerabilities are detected. We also work closely with government agencies and industry experts to improve our security and resilience,” said the telcos.
The telcos add that protecting critical infrastructure is their top priority, and will keep pace with the cyber threat landscape.
