INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Chinese cyber spies breach Singapore's telco networks

| 2026-02-10 13:43 CRITICAL LOW
JSON
Executive Summary AI-generated
Singapore's Cyber Security Agency has launched a massive operation to flush out Chinese-backed snoops from its telecom networks, marking the country's largest coordinated cyber incident response effort to date. The 11-month digital eviction effort involved over 100 personnel from across government, military, intelligence, and industry. Singapore officials have indicated that advanced persistent threat UNC3886 dug itself into the networks of all four major telecom providers, sparking a high-stakes battle for control of sensitive data and communications traffic.
Technical Mitigations AI-generated
* Implement a robust network segmentation strategy to isolate critical infrastructure and limit the attack surface. * Conduct regular vulnerability assessments and penetration testing on telecom networks to identify potential entry points for advanced persistent threats like UNC3886. * Utilize intrusion detection systems (IDS) and incident response tools to detect and respond to suspicious activity in real-time, including zero-day exploits. * Consider implementing a cloud security gateway or virtual private network (VPN) to protect against lateral movement within the telco's network. * Regularly update and patch software applications running on telecom networks to prevent exploitation of known vulnerabilities by UNC3886.
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Operation Cyber GuardianOperation Cyber Guardian UNC3886UNC3886Salt TyphoonSalt Typhoon CVE-2023-20867CVE-2023-20867 CVE-2023-34048CVE-2023-34048 CVE-2022-41328CVE-2022-41328
Target & Sectors
NORTH_AMERICA NORTH_AMERICA technologytechnology defensedefense mediamedia legallegal governmentgovernment telecommunicationstelecommunications healthcarehealthcare
Incident Timeline
late 2024
China-linked hackers breached multiple US broadband providers' networks.
threat_actor Salt Typhoon
In late 2024, it was disclosed that China-aligned state hackers known as Salt Typhoon had breached multiple U.S. broadband providers , accessing information from these firms’ legal network wiretapping systems.
target_region China
In late 2024, it was disclosed that China-aligned state hackers known as Salt Typhoon had breached multiple U.S. broadband providers , accessing information from these firms’ legal network wiretapping systems.
industry Legal
In late 2024, it was disclosed that China-aligned state hackers known as Salt Typhoon had breached multiple U.S. broadband providers , accessing information from these firms’ legal network wiretapping systems.
2025-02-09
Threat actors used UNC3886 to target Singtel, StarHub and M1 in Singapore.
source_region China
The Chinese threat actor tracked as UNC3886 breached Singapore’s four largest telecommunication service providers, Singtel, StarHub, M1, and Simba, at least once last year.
target_region Singapore
The Chinese threat actor tracked as UNC3886 breached Singapore’s four largest telecommunication service providers, Singtel, StarHub, M1, and Simba, at least once last year.
threat_actor UNC3886
The Chinese threat actor tracked as UNC3886 breached Singapore’s four largest telecommunication service providers, Singtel, StarHub, M1, and Simba, at least once last year.
organisation Singtel
The Chinese threat actor tracked as UNC3886 breached Singapore’s four largest telecommunication service providers, Singtel, StarHub, M1, and Simba, at least once last year.
organisation StarHub
The Chinese threat actor tracked as UNC3886 breached Singapore’s four largest telecommunication service providers, Singtel, StarHub, M1, and Simba, at least once last year.
mid 2025
Singapore's telco networks were breached for 11 months through a Cisco IOS XE flaw exploited by China-linked snoops.
industry Government
In mid 2025, the Canadian government also disclosed an intrusion  by the same threat group, exploiting a Cisco IOS XE flaw to breach telecommunications firms.
industry Telecommunications
In mid 2025, the Canadian government also disclosed an intrusion  by the same threat group, exploiting a Cisco IOS XE flaw to breach telecommunications firms.
infrastructure Ios
In mid 2025, the Canadian government also disclosed an intrusion  by the same threat group, exploiting a Cisco IOS XE flaw to breach telecommunications firms.
target_region Canada
In mid 2025, the Canadian government also disclosed an intrusion  by the same threat group, exploiting a Cisco IOS XE flaw to breach telecommunications firms.
July 2025
Singapore deployed 'Operation Cyber Guardian' to limit the adversary's activity on its telco networks in July 2025.
target_region Singapore
In response to the intrusions, which were disclosed in July 2025, Singapore deployed ‘Operation Cyber Guardian’ to limit the adversary's activity on the telco's networks, but very few details were shared at the time.
campaign Operation Cyber Guardian
In response to the intrusions, which were disclosed in July 2025, Singapore deployed ‘Operation Cyber Guardian’ to limit the adversary's activity on the telco's networks, but very few details were shared at the time.
2026-02-09
Threat actors used UNC3886 to target Singapore's telco networks.
threat_actor UNC3886
“So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere,” stated the country’s Minister for Digital Development and Information, Josephine Teo, earlier today at an official engagement event.
organisation Digital Development and Information
“So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere,” stated the country’s Minister for Digital Development and Information, Josephine Teo, earlier today at an official engagement event.
2026-02-10
Chinese cyberspies breached Singapore's four largest telcos.
organisation Operation Cyber Guardian
Singapore described Operation Cyber Guardian as its "largest coordinated cyber incident response effort undertaken to date."
threat_actor Salt Typhoon
The operation bears a strong resemblance to the China-backed Salt Typhoon espionage campaign uncovered in 2024, which also went after telecom providers across several countries using similar infrastructure-level tricks to quietly watch data and communications traffic.
threat_actor UNC3886
Officials stopped short of formally pointing the finger at Beijing, but UNC3886 has long been associated with Chinese state-aligned cyber espionage.
The Cyber Security Agency of Singapore said advanced persistent threat UNC3886 dug itself into the networks of all four major telecom providers, sparking an 11-month digital eviction effort involving more than 100 personnel from across government, military, intelligence, and industry.
"Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore's telecommunications sector," the CSA said.
"Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore’s telecommunications sector," Singapore's Cyber Security Agency (CSA) states .
UNC3886 has been tracked by Mandiant researchers since 2023, targeting government, telecommunication, and technology firms by exploiting zero-day flaws in FortiGate firewalls (CVE-2022-41328), VMware ESXi (CVE-2023-20867), and VMware vCenter Server endpoints (CVE-2023-34048).
Officials didn't say what bugs had been exploited, but UNC3886 was previously observed exploiting zero-day flaws in FortiGate firewalls, VMware ESXi, and VMware vCenter Server endpoints.
The agency discovered in another intrusion that UNC3886 relied on rootkits to remain stealthy while maintaining persistence for an undisclosed period.
organisation CSA
"Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore's telecommunications sector," the CSA said.
"Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore’s telecommunications sector," Singapore's Cyber Security Agency (CSA) states .
organisation Cyber Security Agency
"Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore’s telecommunications sector," Singapore's Cyber Security Agency (CSA) states .
infrastructure Fortigate
UNC3886 has been tracked by Mandiant researchers since 2023, targeting government, telecommunication, and technology firms by exploiting zero-day flaws in FortiGate firewalls (CVE-2022-41328), VMware ESXi (CVE-2023-20867), and VMware vCenter Server endpoints (CVE-2023-34048).
Officials didn't say what bugs had been exploited, but UNC3886 was previously observed exploiting zero-day flaws in FortiGate firewalls, VMware ESXi, and VMware vCenter Server endpoints.
organisation FortiGate
Officials didn't say what bugs had been exploited, but UNC3886 was previously observed exploiting zero-day flaws in FortiGate firewalls, VMware ESXi, and VMware vCenter Server endpoints.
organisation VMware
Officials didn't say what bugs had been exploited, but UNC3886 was previously observed exploiting zero-day flaws in FortiGate firewalls, VMware ESXi, and VMware vCenter Server endpoints.
organisation Modern
Modern IT infrastructure moves faster than manual workflows can handle.
organisation Tines
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
Tactical Metrics
Metrics
infrastructure
​Fortigate
Affected Product
Officials didn't say what bugs had been exploited, but UNC3886 was previously observed exploiting zero-day flaws in FortiGate firewalls, VMware ESXi, and VMware vCenter Server endpoints.
UNC3886 has been tracked by Mandiant researchers since 2023, targeting government, telecommunication, and technology firms by exploiting zero-day flaws in FortiGate firewalls (CVE-2022-41328), VMware ESXi (CVE-2023-20867), and VMware vCenter Server endpoints (CVE-2023-34048).
Metrics
infrastructure
​Ios
Affected Product
In mid 2025, the Canadian government also disclosed an intrusion  by the same threat group, exploiting a Cisco IOS XE flaw to breach telecommunications firms.
Intelligence Sources
The Register - Cybercrime 2026-02-10
BleepingComputer 2026-02-09