Sophisticated Cyberattack Targets Singapore’s Major Telcos, Thwarted by Large-Scale Government Response
Singapore authorities confirmed that all four of the country’s major telecommunications operators Singtel, M1, StarHub, and SIMBA were targeted in a cyberattack attributed to the advanced persistent threat (APT) group UNC3886, a suspected China-linked espionage actor. The attacks, first disclosed publicly in July 2025, were detected after the telcos reported suspicious network activity to the Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA).
On 9 February 2026, Minister for Digital Development and Information Josephine Teo revealed that while attackers breached a limited number of critical systems, they were unable to disrupt services or access sensitive customer data. The government’s response, Operation Cyber Guardian, mobilized over 100 personnel from six agencies, including the Centre for Strategic Infocomm Technologies, the Singapore Armed Forces’ Digital and Intelligence Service, and GovTech, marking the largest coordinated cyber response in Singapore’s history.
UNC3886, classified as a highly sophisticated threat actor, employed zero-day exploits to bypass perimeter defenses and deployed rootkits to maintain persistent access. Authorities confirmed the exfiltration of a small amount of network-related technical data, though no customer information was compromised. The attackers’ lateral movement was restricted through joint efforts with telcos, and enhanced monitoring was implemented to prevent re-entry.
Teo warned that a successful attack could have cascaded into disruptions across banking, transport, and healthcare services, emphasizing that critical infrastructure remains a prime target due to its foundational role in the digital economy. While Singapore has seen a fourfold increase in APT activity between 2021 and 2024, the response demonstrated the effectiveness of the country’s classified national cyber defence doctrine, developed in 2020 and tested for the first time in a real-world operation.
The attacks align with global trends, including breaches at South Korea’s SK Telecom and U.S. telecom providers in 2024. Though UNC3886’s alleged state affiliation remains unconfirmed, the Chinese embassy in Singapore has denied involvement, dismissing such claims as "groundless." Authorities have opted not to publicly attribute the attacks to a specific country, citing strategic considerations.
StarHub TPRM report: https://www.rankiteo.com/company/starhub
Singtel TPRM report: https://www.rankiteo.com/company/singtel
M1 TPRM report: https://www.rankiteo.com/company/m1-limited
"id": "m1-sinsta1770616764",
"linkid": "m1-limited, singtel, starhub",
"type": "Cyber Attack",
"date": "7/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Telecommunications',
'location': 'Singapore',
'name': 'Singtel',
'type': 'Telecommunications Operator'},
{'industry': 'Telecommunications',
'location': 'Singapore',
'name': 'M1',
'type': 'Telecommunications Operator'},
{'industry': 'Telecommunications',
'location': 'Singapore',
'name': 'StarHub',
'type': 'Telecommunications Operator'},
{'industry': 'Telecommunications',
'location': 'Singapore',
'name': 'SIMBA',
'type': 'Telecommunications Operator'}],
'attack_vector': 'Zero-day exploits',
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'Low (no customer data)',
'type_of_data_compromised': 'Network-related technical data'},
'date_publicly_disclosed': 'July 2025',
'description': 'Singapore authorities confirmed that all four of the '
'country’s major telecommunications operators Singtel, M1, '
'StarHub, and SIMBA were targeted in a cyberattack attributed '
'to the advanced persistent threat (APT) group UNC3886, a '
'suspected China-linked espionage actor. The attacks were '
'detected after suspicious network activity was reported, and '
"the government's response, Operation Cyber Guardian, "
'mobilized over 100 personnel to thwart the breach.',
'impact': {'data_compromised': 'Network-related technical data',
'operational_impact': 'Potential cascading disruptions across '
'banking, transport, and healthcare services '
'(prevented)',
'systems_affected': 'Critical systems (limited)'},
'initial_access_broker': {'backdoors_established': 'Rootkits'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Effectiveness of Singapore’s classified national cyber '
'defence doctrine demonstrated in real-world operation; '
'critical infrastructure remains a prime target for APT '
'groups.',
'motivation': 'Espionage',
'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring, '
'restricted lateral movement',
'root_causes': 'Zero-day exploits, sophisticated '
'APT tactics'},
'references': [{'source': 'Minister for Digital Development and Information '
'Josephine Teo'},
{'source': 'Cyber Security Agency of Singapore (CSA)'},
{'source': 'Infocomm Media Development Authority (IMDA)'}],
'regulatory_compliance': {'regulatory_notifications': 'Reported to CSA and '
'IMDA'},
'response': {'communication_strategy': 'Public disclosure by Minister '
'Josephine Teo',
'containment_measures': 'Restricted lateral movement, enhanced '
'monitoring',
'enhanced_monitoring': True,
'incident_response_plan_activated': 'Operation Cyber Guardian'},
'stakeholder_advisories': 'Government agencies and telcos coordinated '
'response; potential cascading disruptions '
'highlighted.',
'threat_actor': 'UNC3886',
'title': 'Sophisticated Cyberattack Targets Singapore’s Major Telcos',
'type': 'Cyber Espionage',
'vulnerability_exploited': 'Zero-day vulnerabilities'}