**Singapore Spent 11 Months Booting China-Linked Snoops Out of Telco Networks**

Singapore has revealed that it spent almost a year evicting a suspected China-linked espionage crew from its telecom networks, in what officials describe as the country's largest cyber defense operation to date.

The Cyber Security Agency of Singapore (CSA) said that advanced persistent threat UNC3886 had infiltrated the networks of all four major telecom providers, sparking an 11-month digital eviction effort involving over 100 personnel from across government, military, intelligence, and industry. The cleanup was branded "Operation Cyber Guardian" and saw the state and telco engineers teaming up to flush out the intruders while keeping the nation's phone and data pipes flowing.

"Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore's telecommunications sector," the CSA said. While officials stopped short of formally pointing the finger at Beijing, UNC3886 has long been associated with Chinese state-aligned cyber espionage.

The group tends to skip flashy break-ins on user machines and instead sneaks into the dull but revealing parts of network infrastructure, where traffic flows quietly and almost nobody is paying attention. According to Singapore's account, the attackers slipped past perimeter defenses using a previously unknown flaw, then dug in using custom rootkits that let them stay hidden deep inside telecom systems.

Officials didn't say what bugs had been exploited, but UNC3886 was previously observed exploiting zero-day flaws in FortiGate firewalls, VMware ESXi, and VMware vCenter Server endpoints. Investigators believe the operation focused on siphoning off technical network information that could support long-term intelligence collection, rather than stealing customer records or causing outages that might draw attention.

The tactics will sound familiar to anyone who has followed recent telecom-focused espionage campaigns. The operation bears a strong resemblance to the China-backed Salt Typhoon espionage campaign uncovered in 2024, which also went after telecom providers across several countries using similar infrastructure-level tricks to quietly watch data and communications traffic.

That kind of access is why telecom breaches tend to ring louder alarm bells than the average hack. Operators sit at the intersection of government communications, enterprise data, and consumer traffic, making them attractive targets for states looking to map networks, monitor flows, or set the stage for future intelligence operations.

Singapore described Operation Cyber Guardian as its "largest coordinated cyber incident response effort undertaken to date." Cleaning up involved identifying compromised devices, sealing off attacker access paths, patching vulnerabilities, and ramping up monitoring to ensure the intruders didn't simply circle back. Singapore warned that telecom networks will remain prime targets and urged operators to assume sophisticated actors are already probing their defenses.

"Telecom networks will continue to be a high-priority target for state-sponsored actors," said the CSA. "We urge all telecom operators to remain vigilant, assume that they are under cyber attack, and take proactive measures to protect their systems."