Singapore says UNC3886 cyberattack hit four major telcos in 2025 but no customer data stolen
Singapore confirmed all four major telcos were targeted by the UNC3886 cyberattack, but authorities found no evidence of customer data theft following the country’s largest-ever coordinated cyber defence response.
- All four major telcos in Singapore were targeted by the advanced threat group UNC3886, authorities confirmed.
- Investigations have found no evidence that sensitive customer data was accessed or stolen.
- The coordinated response, Operation Cyber Guardian, marked Singapore’s largest cyber defence operation to date.
Singapore authorities have confirmed that all four of the country’s major telecommunication operators were targeted by a sophisticated cyberattack attributed to the group known as UNC3886, with no evidence so far that sensitive customer data was compromised.
In one instance, attackers managed to gain access to a limited number of critical systems but were unable to progress far enough to disrupt services, said Minister for Digital Development and Information Josephine Teo on 9 February 2026.
Authorities added that there is no indication customer data from Singtel, M1, StarHub or SIMBA was accessed or stolen during the attacks.
The cyber intrusions were first disclosed publicly in July last year by Coordinating Minister for National Security K Shanmugam, who said Singapore’s critical infrastructure was being targeted by a “highly sophisticated threat actor”.
The group behind the attacks was later identified as UNC3886, which cybersecurity firm Mandiant, owned by Google, has described as a “suspected China-nexus espionage actor” targeting strategic organisations globally.
Singapore’s response, known as Operation Cyber Guardian, was activated after the telcos reported suspicious network activity to the Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA).
Operation Cyber Guardian launched
The operation involved more than 100 personnel across six government agencies, including the Centre for Strategic Infocomm Technologies, the Singapore Armed Forces’ Digital and Intelligence Service, the Internal Security Department and GovTech.
Mrs Teo said the whole-of-government effort was the largest coordinated cyber response undertaken in Singapore and had succeeded in limiting the attackers’ activities.
Authorities said UNC3886 is classified as an advanced persistent threat, or APT, typically associated with well-resourced and often state-linked actors.
In one case, the group exploited a zero-day vulnerability to bypass a perimeter firewall and gain initial access to a telco’s network.
CSA and IMDA said the attackers exfiltrated a small amount of technical information, believed to be network-related data used to advance their operational objectives.
In another instance, advanced tools such as rootkits were deployed to maintain persistent access and evade detection.
“This required cyber defenders to conduct comprehensive security checks across the networks,” CSA and IMDA said in a joint statement.
Under Operation Cyber Guardian, authorities worked with the telcos to restrict lateral movement, close access points and ensure systems remained safe to use.
Monitoring capabilities were expanded to detect renewed attempts by the group to re-enter the networks.
Broader risks to critical infrastructure
Mrs Teo said a successful attack could have had knock-on effects on banking, transport and healthcare services.
“So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere,” she said, adding that this should not lead to complacency.
In a joint statement, Singtel, M1, StarHub and SIMBA said they employ “defence-in-depth mechanisms” and work closely with government agencies to strengthen resilience.
CSA and IMDA warned that telcos remain strategic targets due to their foundational role in the digital economy and handling of sensitive data.
Mrs Teo said unresolved cyber threats could lead to the theft of national secrets or disruption of essential services.
International context and attribution concerns
Singapore has seen a more than fourfold increase in APT activity between 2021 and 2024.
Similar incidents overseas include a major data breach at South Korean operator SK Telecom and attacks on United States telecom providers in 2024.
Mr Shanmugam said in August last year that Singapore had chosen not to name the country allegedly linked to UNC3886, adding that suggestions of retaliation for doing so were “speculative”.
The Chinese embassy in Singapore has previously rejected claims linking China to the group, calling them “groundless smears and accusations”.
National cyber defence doctrine tested
Mrs Teo said Singapore must prepare for threats to other critical infrastructure, including power, water and transport systems.
She added that the response was guided by a classified national cyber defence doctrine developed in 2020, outlining public and private sector roles.
“We have been working on this and practising our plans for several years, but this is the first time we have implemented the plan in an actual operation,” she said.
