The attackers gained access to a few critical systems of Singtel, M1, StarHub and Simba, but no sensitive customer data was lost.

Minister for Digital Development and Information Josephine Teo giving an update on Operation Cyber Guardian on Feb 9, 2026. (Photo: CNA/Syamil Sapari)

This audio is generated by an AI tool.

In one instance, the attackers were able to gain access to a few critical systems, but did not get far enough to have been able to disrupt services, said Minister for Digital Development and Information Josephine Teo on Monday (Feb 9).

There is also no evidence so far to suggest that the attackers were able to access or steal sensitive customer data from the telcos Singtel, M1, StarHub and Simba.

Coordinating Minister for National Security K Shanmugam had first made public the attack in July last year, saying only that a "highly sophisticated threat actor" was attacking critical infrastructure.

UNC3886 is described by Mandiant – a cybersecurity firm owned by Google – as a “suspected China-nexus espionage actor” that has targeted prominent strategic organisations globally.

Singapore’s response to the attack, known as Operation Cyber Guardian, began after the telcos reported suspicious activities within their networks to the Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA).

The operation involved more than 100 people across six government agencies, including the Centre for Strategic Infocomm Technologies (CSIT), the Singapore Armed Forces’ Digital and Intelligence Service, Internal Security Department and GovTech.

The whole-of-government response is the largest coordinated cyber response in Singapore to date, and it has managed to limit the attackers’ activities, said Mrs Teo at an event on Monday to thank cyber defenders.

The UNC3886 group is an advanced persistent threat (APT) actor.

In one instance, the group used a zero-day exploit to bypass a perimeter firewall of the telcos and gained access to the networks.

A zero-day exploit is a cyber threat that takes advantage of a previously unknown security vulnerability in software for which there is no available security patch.

“They also managed to exfiltrate a small amount of technical data; this is believed to be primarily network-related data to advance the threat actors’ operational objectives,” said CSA and IMDA on Monday.

In another instance, they used advanced tools and techniques such as rootkits to maintain persistent access and cover their tracks, evading detection.

A rootkit is a software that hides its presence and conceals other malware, such as keyloggers and viruses. It allows for admin-level access and disables security features such as anti-virus software.

“This made it challenging for cyber defenders to detect their presence, requiring the cyber defenders to conduct comprehensive security checks across the networks,” said CSA and IMDA.

Under Operation Cyber Guardian, the authorities worked closely with the telcos to limit UNC3886’s movement into the networks and ensured the systems remained safe to use.

They also implemented remediation measures, closed off UNC3886’s access points and expanded monitoring capabilities to check for new attempts by the group to re-enter the networks.

Mrs Teo, who is also minister-in-charge of cybersecurity and Smart Nation Group, said the knock-on effects of UNC3886’s attack could also have included other essential services such as banking and finance, transport and medical services.

“So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere,” she added.

“This is not a reason to celebrate, rather it is to remind ourselves that the work of cyber defenders matters. We depend on their vigilance and hard work to keep Singaporeans safe.”

In a joint statement, the four telcos said they adopt “defence-in-depth mechanisms” to protect their networks and conduct prompt remediation when vulnerabilities are detected.

They also work closely with government agencies and industry experts to improve their security and resilience.

“Protecting our critical infrastructure is a top priority. We will continue to keep pace with the evolving cyber threat landscape and update our measures accordingly,” said the four telcos.

While Singapore’s efforts have contributed to containing the attacks so far, it must be prepared for future attempts to gain access to its telco infrastructure, said CSA and IMDA.

“Telcos are strategic targets for threat actors, including state-sponsored ones. They play a foundational role in powering the digital economy and transmit vast amounts of information, including sensitive data,” said the agencies.

“If threat actors succeed in attacking our telcos, they have the potential to undermine our national security and our economy.”

Mrs Teo said that if such cyber threats are not properly dealt with, it may allow attackers to steal national secrets.

In the worst scenario, the disruption of essential services can cripple economies and weaken a nation’s ability to protect citizens.

“It is precisely because the impact can be so severe that APTs are often state-sponsored,” she added.

Mr Shanmugam said in August last year that it was not in Singapore’s best interest to name the country linked to UNC3886, adding that the group’s alleged links to China and possible retaliation for naming them were “speculative”.

The Chinese embassy in Singapore has previously expressed its “strong dissatisfaction” at the claims linking the country to UNC3886, calling them “groundless smears and accusations against China”.

Singapore has been a regular target of attacks by APTs, with the number rising over fourfold from 2021 to 2024.

The ramifications of APT activity in telcos have been seen before around the world.

Last year, South Korean telco SK Telecom had a data breach, compromising the SIM data of nearly 27 million users.

Multiple major United States telecommunications providers were also attacked in 2024 by a cyberespionage group.

Mrs Teo said Singapore must be prepared that its other critical infrastructure, such as power, water and transport systems, may be targeted.

She added that the country’s critical infrastructure operators, many of whom are private companies, play an important role in cybersecurity.

“But even as we try our best to prevent and detect cyberattacks, we may not always find ourselves in a position to stop all of them. We must therefore be prepared for the threat of disruption,” added the minister.

She added that the private and public sectors were able to work together on the operation to contain UNC3886’s attack because of Singapore’s national doctrine of cyber defence.

In 2020, government agencies put together a classified document that outlines Singapore’s approach to cyber defence.

It guides Singapore’s approach to capability deployment and outlines the roles of both the public and private sectors in cyber defence.

“We have been working on this and practising our plans for several years, but this is the first time we have implemented the plan in an actual operation,” said Mrs Teo.

Get our pick of top stories and thought-provoking articles in your inbox

Stay updated with notifications for breaking news and our best stories

Join our channel for the top reads for the day on your preferred chat app

We know it's a hassle to switch browsers but we want your experience with CNA to be fast, secure and the best it can possibly be.

To continue, upgrade to a supported browser or, for the finest experience, download the mobile app.

Upgraded but still having issues? Contact us