HTGanzo - stock.adobe.com
Singapore mounts largest ever cyber operation to oust APT actor
Operation Cyber Guardian mobilised over 100 defenders to neutralise UNC3886 which infiltrated Singtel, StarHub, M1 and Simba networks, operators issue joint pledge on defence-in-depth
Singapore’s cyber security authorities have revealed details of an eleven-month, multi-agency campaign to purge an advanced persistent threat (APT) actor from the networks of the country’s four major telecoms operators.
Codenamed Operation Cyber Guardian, the effort is Singapore’s largest coordinated cyber incident response to date. It was launched to counter UNC3886, a threat group that had successfully breached the perimeter defences of M1, Simba Telecom, Singtel and StarHub.
The Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) disclosed on 9 February 2026 that the threat actor had used a zero-day exploit to bypass perimeter firewalls and deployed rootkits to maintain persistent, undetected access.
While the attackers managed to exfiltrate a small amount of technical data believed to be network-related information intended to further their operational reach, authorities confirmed there is no evidence that customer records or sensitive personal data were accessed.
Anatomy of the breach
The presence of UNC3886, a designation used by threat intelligence firms such as Mandiant to describe a suspected cyber espionage group with a China nexus, was first flagged by Singapore’s coordinating minister for national security, K Shanmugam, in July 2025. At the time, details were withheld to preserve operational security while the remediation was ongoing.
According to the CSA, the group launched a deliberate, targeted, and well-planned campaign against the telecoms sector. “In one instance, they were able to gain limited access to critical systems but did not get far enough to have been able to disrupt services,” the CSA and IMDA said in a statement.
The operation to evict the intruders involved over 100 cyber defenders from the CSA, IMDA, the Centre for Strategic Infocomm Technologies (CSIT), the Digital and Intelligence Service (DIS) of the Singapore Armed Forces, Government Technology Agency of Singapore (GovTech), and the Internal Security Department (ISD).
Defenders have since closed off the access points used by UNC3886 and implemented expanded monitoring capabilities within the telcos to detect attempts at re-entry.
Following the disclosure, the four affected operators released a joint statement, stating that they have adopted defence-in-depth mechanisms to protect their networks and will conduct prompt remediation when vulnerabilities are detected.
“Protecting our critical infrastructure is a top priority. We will continue to keep pace with the evolving cyber threat landscape and update our measures accordingly,” they added.
Speaking at an engagement event for the personnel involved in the operation, Singapore’s minister for digital development and information, Josephine Teo, warned that while the immediate threat had been contained, the sector remains a target for state-sponsored actors.
"So far, the attack by UNC3886 has not resulted in the same extent of damage as cyber attacks elsewhere,” Teo said.
However, she stressed that the outcome relied on the continued vigilance of critical infrastructure operators, which play an especially important role.
“Your actions, or inaction, can determine whether we succeed or fail in protecting our critical infrastructure, and our national security. I urge all of you to continue investing in upgrading your systems as well as your capabilities,” she said.
The CSA indicated that it would be rolling out further initiatives to raise capabilities across the cyber ecosystem, noting that a successful attack on the telco sector could “undermine our national security and our economy.”
Read more about cyber security in APAC
- Nikkei has confirmed a major data breach that potentially exposed the personal information of more than 17,000 employees and business partners after hackers infiltrated its internal Slack messaging platform.
- Australian privacy commissioner warns that the human factor is a growing threat as notifications caused by staff mistakes rose significantly even as total breaches declined 10% from a record high.
- Philippine bank BDO is shoring up its cyber security capabilities to protect its data and systems as it moves more services to the cloud and expands its physical presence into remote areas of the archipelago.
- AI agents require standardised guidelines, clear human responsibility and a shared language between developers and policymakers to be secure and trusted, experts say.
