Singapore’s government has officially confirmed that a sophisticated Chinese cyber-espionage group breached all four of the nation’s largest telecommunications providers in a coordinated campaign that exploited zero-day vulnerabilities and deployed advanced persistence mechanisms.
The Cyber Security Agency of Singapore (CSA) disclosed that UNC3886, a threat actor tracked by Google’s Mandiant security unit and linked to Chinese intelligence operations, successfully compromised Singtel, StarHub, M1, and Simba Telecom beginning in 2025.
Zero-Day Exploitation and Rootkit Deployment
According to the CSA’s investigation, the attackers employed a previously unknown zero-day vulnerability to bypass perimeter firewalls at one of the targeted telecoms. Singapore authorities have not disclosed which specific product or vendor was exploited.
In another intrusion, investigators discovered UNC3886 deployed rootkits to maintain stealthy persistence within compromised systems for an undisclosed period. This aligns with the group’s known tactics of targeting network edge devices and virtualization infrastructure where traditional endpoint security tools have limited visibility.
Operation Cyber Guardian Response
Singapore’s response to the intrusions, first disclosed in July 2025, involved over 100 investigators from six government agencies in what authorities described as “the largest multi-agency cyber operation” mounted by the nation. The operation successfully:
- Contained the compromise within the telecommunications sector
- Closed access points used by the attackers
- Expanded monitoring to other critical infrastructure (banking, transport, healthcare)
- Blocked potential lateral movement to additional sectors
While the intruders gained limited access to critical systems, authorities confirmed no customer data was accessed or stolen, and no services were disrupted.
UNC3886: A Prolific Zero-Day Exploiter
UNC3886 has been tracked by Mandiant researchers since 2023, primarily targeting government, telecommunications, and technology sectors across the United States and Asia-Pacific region. The group is known for exploiting zero-day vulnerabilities in:
- FortiGate firewalls (CVE-2022-41328)
- VMware ESXi (CVE-2023-20867)
- VMware vCenter Server (CVE-2023-34048)
This targeting of routers, firewalls, and virtualized environments represents a deliberate strategy to operate in areas where endpoint detection tools typically cannot reach.
Comparison to Salt Typhoon Attacks
Singapore’s Minister for Digital Development and Information, Josephine Teo, noted that “the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere,” referencing the devastating Salt Typhoon campaign that compromised hundreds of telecommunications companies globally, including major U.S. broadband providers.
While UNC3886 and Salt Typhoon are tracked as distinct threat actors, both demonstrate China’s strategic focus on telecommunications infrastructure for espionage purposes and potential prepositioning for future disruptive operations.
Defensive Recommendations
Organizations in the telecommunications sector should prioritize:
- Aggressive patching of network edge devices (firewalls, VPN appliances, routers)
- Enhanced monitoring of virtualization infrastructure (ESXi, vCenter)
- Rootkit detection capabilities on critical systems
- Network segmentation to limit lateral movement
- Out-of-band monitoring for devices that cannot run traditional EDR agents
Sources: TechCrunch, BleepingComputer
