ACCORDING to The Cyber Security Agency (CSA) of Singapore, the China-nexus cyber espionage group UNC3886 targeted Singapore’s telecommunications sector in a deliberate, targeted campaign. The agency said all four of Singapore’s major telecom operators—M1, SIMBA Telecom, Singtel, and StarHub—were attacked, with UNC3886 described as deploying “deep capabilities” to gain access into telco systems.
UNC3886 is assessed to have been active since at least 2022, and has targeted edge devices and virtualization technologies to obtain initial access, including the use of rootkits to establish persistent access in some cases. In July 2025, Sygnia disclosed details of a long-term campaign attributed to Fire Ant that shares tooling and targeting overlaps with UNC3886, infiltrating VMware ESXi and vCenter environments as well as network appliances.
The CSA noted the operation CYBER GUARDIAN helped counter the threat and that there is no evidence of exfiltration of personal data or disruption of internet services, while remediation measures and expanded monitoring were implemented across the telcos. This follows accusations by Coordinating Minister for National Security K. Shanmugam that UNC3886 had previously targeted high-value strategic targets.