Singapore mobilised 100+ cyber defenders to eject UNC3886 from four major telcos

Singapore disclosed a months-long, whole-of-government cyber operation that mobilised more than 100 defenders to contain intrusions by the actor UNC3886 against the country’s four largest telecommunications operators: Singtel, StarHub, M1 and SIMBA Telecom.

The Cyber Security Agency of Singapore and the Infocomm Media Development Authority said the campaign, codenamed Operation CYBER GUARDIAN, "is Singapore’s largest coordinated cyber incident response effort undertaken to date, spanning more than eleven months. Over 100 cyber defenders across agencies such as CSA, IMDA, the Centre for Strategic Infocomm Technologies (CSIT), the Digital and Intelligence Service (DIS), the Government Technology Agency of Singapore (GovTech) and the Internal Security Department (ISD) were involved in the operation," according to official materials.

Authorities said telco security teams initially detected the intrusions and notified IMDA and CSA, triggering the coordinated response. CSA and IMDA said they worked in partnership with the operators to contain the breaches and strengthen monitoring across affected networks.

Technical details reported by industry outlets draw on the incident report but have not been released in full by the agencies. Darkreading and ComputerWeekly reported that the actor "deployed 'advanced tools' as part of its operation, including a zero-day exploit to bypass a perimeter firewall and rootkits to maintain persistence," citing CSA’s incident report. Darkreading described UNC3886 as "China-linked"; IMDA and CSA named the actor as UNC3886 but did not include that characterization in the excerpts provided by the agencies.

IMDA said cyber teams have carried out remediation actions. "Cyber defenders have since implemented remediation measures, closed off UNC3886’s access points and expanded monitoring capabilities in the targeted telcos," the agency said, noting joint public-private action to neutralise the intrusions.

The four operators issued a joint statement, reported by ComputerWeekly, committing to layered defences and prompt fixes. The operators said: "Protecting our critical infrastructure is a top priority. We will continue to keep pace with the evolving cyber threat landscape and update our measures accordingly."

Media reporting also credited the response with preserving customer services. Darkreading reported that Singapore’s telcos "maintained an unaffected service through effective breach containment and resilience as cyberattacks continued." Officials, however, warned the danger has not passed. "While our collective efforts have contributed to containing the attacks so far, we must be prepared that there may be future attempts to gain access into our telco infrastructure," the agency said, according to reporting.

Analysts welcomed naming the actor and the level of coordination. CCAPAC’s Lim said that naming the group "also shows that the country is being transparent about its approach to cybersecurity," while Collin Hogue-Spears of application-security firm Black Duck said the incident "highlights that China is developing a strong expertise in compromising critical infrastructure and telecommunications systems."

IMDA framed the operation as an example of Singapore’s national doctrine of cyber defence: "The close partnership between the public and private sector in Operation CYBER GUARDIAN reflects our national doctrine of cyber defence, in which government agencies, as well as the private sector come together to collectively defend our cyber space. This coordinated approach is a key pillar of Singapore’s cyber security."

Officials say the work continues. IMDA’s release included the heading "The fight is ongoing," underscoring that hardening and vigilance remain priorities as authorities seek technical details and indicators they have not yet published.