**
Singapore Takes Down Chinese Hackers Targeting Telco Networks
**In a significant victory for the city-state's cybersecurity, Singapore's government has disrupted cyber-attacks attributed to Chinese-nexus cyber threat group UNC3886 that targeted the country's four telecommunications operators. The law enforcement operation, dubbed Operation Cyber Guardian, spanned from the summer of 2025 to early 2026 but remained secret until now.
The Cyber Security Agency of Singapore (CSA) revealed what happened in a report published on February 9, 2026. On July 18, 2025, K Shanmugam, Singapore's Coordinating Minister for National Security, warned that UNC3886, an advanced persistent threat (APT) group associated with the Chinese regime, had been conducting cyber-attacks against the country's critical infrastructure.
Details of the attacks remained secret at the time to preserve Singapore's national security. In its latest report, CSA shared that the four telcos - M1, SIMBA Telecom, Singtel and StarHub - detected intrusions and notified CSA and the Infocomm Media Development Authority (IMDA) of the breach.
The two government agencies then quickly brought together a taskforce of over 100 cyber defenders across six agencies to help the telcos mitigate the threat. Aside from the CSA and IMDA, entities involved in Operation Cyber Guardian included the Centre for Strategic Infocomm Technologies (CSIT), the Digital and Intelligence Service (DIS), the Government Technology Agency of Singapore (GovTech) and the Internal Security Department (ISD).
CSA explained that Operation Cyber Guardian spanned 11 months and was the largest and longest-running anti-cyber threat effort in the country's history.
**
Inside UNC3886's Cyber-Attack Against Singaporean Telcos
**The investigations have indicated that UNC3886 had launched a deliberate, targeted and well-planned campaign against Singapore's telecommunications companies. In one instance, the hacking group used a zero-day exploit to bypass a perimeter firewall installed at the target companies and gained access into one of the victims' networks.
They also managed to exfiltrate a small amount of technical data, likely network-related data to advance the threat actors' operational objectives. In another instance, UNC3886 used advanced tools like rootkits to maintain persistent access, cover its tracks and evade detection.
"This made it challenging for cyber defenders to detect the actor's presence, requiring the cyber defenders to conduct comprehensive security checks across the networks," CSA wrote.
**
Successful Operation Cyber Guardian
**The law enforcement effort was successful, since the UNC3886 attack "has not resulted in the same extent of damage as cyber-attacks elsewhere." CSA wrote. The threat actor was able to gain unauthorized access into some parts of telco networks and systems but CSA stated that it found no evidence that the threat actor managed to disrupt telecommunications services or that sensitive or personal data were accessed or exfiltrated.
The operation's cyber defenders have since implemented remediation measures, closed off UNC3886's access points and expanded monitoring capabilities in the targeted telcos. However, CSA said the telcos must "maintain vigilance against new attempts by UNC3886 to re-enter their networks."
**
Josephine Teo's Call for Vigilance
**Josephine Teo, Singapore's Minister-in-charge of Cybersecurity, highlighted the important role played by critical infrastructure operators. "Your actions, or inaction, can determine whether we succeed or fail in protecting our critical infrastructure, and our national security," she said.
"I urge all of you to continue investing in upgrading your systems as well as your capabilities." she added, emphasizing the need for continued vigilance against cyber threats.