Singapore launches largest coordinated cyber defense operation after targeted attack on all major telcos

Singapore has launched its largest coordinated cyber defense operation after a sophisticated cyberattack targeted all four of the country’s major telecommunications operators, Minister for Digital Development and Information and Minister-in-charge of the Cybersecurity and Smart Nation Group Josephine Teo said on Feb. 9.

The attack, attributed to the advanced threat actor known as UNC3886, targeted M1, Singtel, StarHub and Simba, marking an unprecedented, sector-wide intrusion into Singapore’s telecommunications infrastructure. Teo disclosed the details while speaking at an engagement session for cyber defenders involved in Operation Cyber Guardian.

Once the breach was detected, the affected operators immediately alerted the Infocomm Media Development Authority and the Cyber Security Agency of Singapore. A multi-agency response was swiftly activated under Operation Cyber Guardian, a coordinated national effort to contain and neutralize the threat.

The operation involves more than 100 cyber defenders drawn from six government agencies, including the Cyber Security Agency of Singapore, the Infocomm Media Development Authority, the Singapore Armed Forces Digital and Intelligence Service, the Centre for Strategic Infocomm Technologies, the Internal Security Department and GovTech. These teams are working in close coordination with the four telecommunications providers.

Teo said the response has, for now, successfully limited the attackers’ activities. In one instance, the attackers managed to access a small number of critical systems, but were unable to disrupt services or move deeper into the networks. She added that there is no evidence at this stage that sensitive customer data was accessed or stolen.

Despite the containment, Teo cautioned against complacency, warning that Singapore continues to face highly capable and persistent cyber threat actors. She noted that other critical infrastructure sectors, including power, water and transport, could also be targeted, and stressed the need for continued vigilance by private-sector operators.

The government will continue working closely with critical infrastructure owners through cybersecurity exercises and the sharing of classified threat intelligence to strengthen early detection and response capabilities. Teo emphasized that even with strong preventive measures, disruptions remain a real possibility and preparedness is essential.

The attack was first publicly revealed in July 2025 by the Minister for Home Affairs and Coordinating Minister for National Security. Teo described the UNC3886 intrusion as potentially more serious than previous cyber incidents faced by Singapore, as it targeted systems that directly support essential public services. She said the consequences could have been severe if the attackers had progressed further, including the possibility of telecoms or internet services being cut off.

Subsequent investigations determined the campaign was deliberate, targeted and carefully planned, focusing specifically on the telecommunications sector. The attackers exploited a zero-day vulnerability, a previously unknown security flaw for which no patch was available at the time. After gaining access, the group stole a limited amount of technical data and employed advanced techniques to evade detection and obscure their activities.

Teo said the group demonstrated capabilities that went beyond espionage, including the potential to deploy tools that could disrupt telecommunications and internet services. Such disruptions could have had cascading effects on banking, transport and medical services.

In a joint statement, the four telecommunications operators said they face a broad range of cyber threats, from distributed denial-of-service attacks and phishing to increasingly sophisticated and persistent intrusions. They said they have implemented layered security defenses, conduct prompt remediation when vulnerabilities are identified, and work closely with government agencies and industry experts to enhance resilience. The operators reaffirmed that protecting critical infrastructure remains a top priority.

UNC3886 is a China-linked cyber espionage actor classified as an advanced persistent threat. The group is known for targeting strategically significant organizations worldwide, particularly in the defense, technology and telecommunications sectors across the United States and Asia. Cybersecurity researchers have observed the group focusing on network devices and virtualization technologies, frequently exploiting zero-day vulnerabilities. Its operations emphasize stealth, using passive backdoors and tampering with logs and forensic artifacts to maintain long-term access while minimizing detection.