Singapore’s telecom sector has come under a coordinated cyber espionage campaign linked to a China connected threat group, according to the country’s Cyber Security Agency. The agency said the activity was carefully planned and aimed at critical communications infrastructure.
The Cyber Security Agency said the threat group known as UNC3886 carried out “a deliberate, targeted and well planned campaign against Singapore’s telecommunications sector.” It confirmed that all 4 major telecom operators in the country, M1, SIMBA Telecom, Singtel and StarHub, were targeted. The disclosure follows earlier warnings from Singapore’s Coordinating Minister for National Security K. Shanmugam, who had said UNC3886 was behind attacks on high value strategic targets. Authorities assess that the group has been active since at least 2022, with a focus on edge devices and virtualization technologies to gain initial access.
In July 2025, a cybersecurity firm revealed details of a long running espionage campaign linked to a threat cluster called Fire Ant, which shares tools and targeting patterns with UNC3886. That campaign showed attackers infiltrating VMware ESXi and vCenter environments, as well as network appliances, to maintain long term access. The Cyber Security Agency described UNC3886 as an advanced persistent threat with “deep capabilities.”
According to the agency, attackers used sophisticated techniques to break into telecom systems. In one case, they exploited a zero day vulnerability to bypass a perimeter firewall and extract a small amount of technical data to support further operations. In another incident, rootkits were deployed to maintain persistent access and hide malicious activity. The group also gained unauthorized access to some parts of telecom networks, including systems considered critical, though the impact was not severe enough to disrupt services.
The agency said it launched a defensive effort called CYBER GUARDIAN to contain the threat and restrict attacker movement within telecom networks. “Cyber defenders have since implemented remediation measures, closed off UNC3886’s access points and expanded monitoring capabilities in the targeted telcos,” the agency said. It added that there was no evidence of personal data theft or internet service outages resulting from the attacks.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
