S'pore launches largest coordinated cyber defence ops after targeted cyberattack on 4 telcos: Josephine Teo

The UNC3886 cyberattack in Singapore targeted all four major telecommunications operators, said Minister for Digital Development and Information of Singapore and Minister-in-charge of Cybersecurity & Smart Nation Group Josephine Teo on Feb. 9.

The four major telcos are M1, Singtel, StarHub and Simba.

Teo was speaking at an engagement event for cyber defenders involved in Operation Cyber Guardian.

Operation Cyber Guardian

Once the breach was detected, the telcos immediately alerted the Infocomm Media Development Authority (IMDA) and Cyber Security Agency of Singapore (CSA).

CSA, IMDA, and other government agencies swiftly launched a coordinated response, codenamed Operation Cyber Guardian, in partnership with the telcos, to contain the breach.

The operation is Singapore's largest coordinated cyber response to date, involving over a 100 cyber defenders across six government agencies — CSA, IMDA, the SAF’s Digital and Intelligence Service, Centre for Strategic Infocomm Technologies, Internal Security Department, and GovTech — working closely with the telcos.

Teo said the response has, for now, managed to limit the cyber attackers' activities.

While cyber attackers managed to access a small number of critical systems in one instance, it was unable to disrupt services or move deeper into telco networks.

"There is also no evidence thus far to suggest that the attackers were able to access or steal sensitive customer data," Teo affirmed.

However, she cautioned against complacency, warning that Singapore continues to face highly sophisticated and persistent cyber threat actors.

She added that other critical infrastructure sectors, such as power, water and transport, could also be targeted, and stressed the importance of private-sector operators remaining vigilant.

The government, she said, will continue to work closely with critical infrastructure operators through initiatives such as cybersecurity exercises and the sharing of classified threat intelligence to help facilitate early threat detection and response.

"But even as we try our best to prevent and detect cyber-attacks, we may not always be able to stop them in time," Teo said. "All of us must also be prepared for the threat of disruption."

The UNC3886 attack

The attack was first revealed by Minister for Home Affairs and Coordinating Minister for National Security K Shanmugam in July 2025.

Describing the attack, Teo said UNC3886 posed a "potentially more serious threat" than previous cyberattacks faced by Singapore, adding that it had targeted critical systems that directly provide vital essential services to the public.

"The consequences could have been more severe," she said. "If the attack went far enough, it could have allowed the attacker to one day cut off telecoms or internet services."

Investigations later revealed that the attacks were a "deliberate, targeted, and well-planned campaign" aimed at the country's telco sector.

The attackers exploited a zero-day vulnerability, which refers to a previously unknown security flaw for which no patch is available at the time.

"This is like finding a new key that no one else had found, to unlock the doors to our telcos’ information system and networks," Teo said.

After gaining access, UNC3886 was reported to have stolen a small amount of technical data, while using advanced techniques to evade detection and cover its tracks.

Teo noted that besides being able to access sensitive information for espionage, the group also had the capability to deploy tools that could disrupt telecommunications and internet services.

Such disruptions could have had knock-on effects on other essential services, such as banking and finance, transport, and medical services.

Joint statement from all four telcos

In a joint statement by the four telcos, they said they face a range of cyber threats, including Distributed Denial-of-Service attacks, malware and phishing, as well as increasingly sophisticated and persistent attacks.

In order to protect themselves against such threats, they have adopted defence-in-depth mechanisms to secure their networks and carry out prompt remediation when vulnerabilities are identified.

In addition, the four are also working closely with government agencies and industry experts to improve their security and resilience.

"Protecting our critical infrastructure is a top priority. We will continue to keep pace with the evolving cyber threat landscape and update our measures accordingly.”

What is UNC3886?

UNC3886 is a cyber espionage actor that targets strategically significant organisations around the world.

It is classified as an Advanced Persistent Threat (APT) that focuses on geopolitical and economic espionage.

The "UNC" label refers to the group being uncategorised or unclassified.

Cybersecurity researchers have observed that UNC3886 historically targets network devices and virtualisation technologies, often exploiting zero-day vulnerabilities, which are previously unknown security flaws for which no patches are available at the time of attack.

The group appear to focus mainly on defence, technology, and telecommunication organisations located in the U.S. and Asia.

UNC3886 also prioritises stealth in its operations, employing passive backdoors, along with log and forensics artefact tampering, to ensure long-term persistence while also minimising the risk of detection.

It also targets internal networking infrastructure, including Internet Service Provider (ISP) routers, network authentication services such as the Terminal Access Controller Access-Control System (TACACS+), and terminal servers with access to the routers, to gain privileged initial access.

This enables the group to gain elevated initial access and carry out restricted operations.

Once inside a system, UNC3886 uses advanced techniques to evade detection and maintain long-term access to compromised environments.

Top photo from Mothership, Facebook and StarHub