Singapore’s Cyber Security Agency (CSA) revealed on Monday that a China-aligned cyber espionage group known as UNC3886 had targeted Singapore’s telecommunications sector.
“UNC3886 has launched a deliberate, targeted and well-planned campaign against Singapore’s telecommunications sector,” the CSA said. “Singapore’s four major telecommunications operators (‘telcos’) – M1, SIMBA Telecom, Singtel and StarHub – have all been targeted by attacks. ”
The development comes more than six months after Singapore’s National Security Coordinating Minister K. Shanmugam accused UNC3886 of attacking high-value strategic threat targets. UNC3886 is assessed to have been active since at least 2022 and is targeting edge devices and virtualization technologies to gain early access.
In July 2025, Sygnia disclosed details of a long-term cyber espionage campaign stemming from a threat cluster it tracks as Fire Ant and shares overlapping tools and targets with UNC3886, saying attackers were infiltrating the organization’s VMware ESXi and vCenter environments and network appliances.
Describing UNC3886 as an Advanced Persistent Threat (APT) with “deep capabilities,” the CSA said the attackers deployed sophisticated tools to gain access to communications systems, in some instances armed with zero-day exploits to circumvent perimeter firewalls and siphon small amounts of technical data to further their operational objectives. The exact details of the defect were not disclosed.
In the second case, UNC3886 allegedly deployed a rootkit to gain persistent access and cover its tracks below radar. Other activities carried out by threat actors include gaining unauthorized access to “portions” of communications networks and systems, including those deemed critical, although the incident was not assessed to be significant enough to disrupt service.
CSA announced that it has launched a cyber operation called “CYBER GUARDIAN” to counter this threat and limit the movement of attackers into communications networks. It also emphasized that there is no evidence that the attackers compromised personal data such as customer records or disrupted internet access.
“Cyber defenders subsequently took remedial actions, shutting down UNC3886’s access points and expanding their surveillance capabilities of the targeted carriers,” the agency said.
Source link
