The Cyber Security Agency (CSA) of Singapore announced on Monday that the China‑linked cyber‑espionage group UNC3886 has carried out targeted operations against the nation’s telecommunications industry.
According to the CSA, “UNC3886 conducted a deliberate, highly targeted, and well‑coordinated campaign against Singapore’s telecommunications sector.” All four major telecom operators M1, SIMBA Telecom, Singtel, and StarHub were affected by these attacks. This disclosure follows comments made more than six months earlier by Singapore’s Coordinating Minister for National Security, K. Shanmugam, who stated that UNC3886 had targeted high‑value national assets. The group has been active since at least 2022, with a focus on compromising edge devices and virtualization platforms to gain initial access.
In July 2025, cybersecurity firm Sygnia detailed a prolonged espionage operation attributed to a threat cluster it calls Fire Ant, which shares tools and targeting similarities with UNC3886. The campaign involved infiltrating organizations’ VMware ESXi and vCenter environments as well as network appliances. The CSA characterized UNC3886 as a highly capable advanced persistent threat (APT) group that used sophisticated tools to breach telecom systems. In one incident, the attackers allegedly exploited a zero‑day vulnerability to bypass a perimeter firewall and extract a small amount of technical data to support their ongoing operations. No specifics about the vulnerability were released. In another case, UNC3886 reportedly deployed rootkits to maintain long‑term access and obscure their presence. Additional malicious activities included unauthorized entry into portions of telecom networks and systems, including some considered critical. However, officials emphasized that these events were not severe enough to disrupt telecommunications services.
To counter the intrusion attempts, CSA launched CYBER GUARDIAN, a dedicated cyber‑operations effort aimed at restricting the adversary’s movement within telecom networks. The agency also noted that there is no evidence that UNC3886 accessed personal information such as customer data or caused internet outages. “Cyber defenders have since put remediation steps in place, shut down UNC3886’s entry points, and enhanced monitoring capabilities across the affected telecom operators,” the CSA stated.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
