Singapore says China-linked hackers targeted telecom providers in major spying campaign

Singapore authorities said Monday that a sophisticated China-linked cyber espionage group carried out a targeted campaign against all four of the country’s major telecommunications operators.

In a statement, the Cyber Security Agency of Singapore (CSA) said the threat actor known as UNC3886 was behind what it described as a “deliberate, targeted, and well-planned” operation against M1, SIMBA Telecom, Singtel and StarHub. The group used advanced tools to infiltrate telecom networks and maintain long-term covert access, the agency said.

Singapore first disclosed the attacks on critical infrastructure in July but did not provide details at the time, saying it would assess whether further disclosure was in the national interest.

Following the initial findings, Singapore launched an operation called Cyber Guardian, which officials described as the country’s largest cyber incident response effort to date. The operation lasted more than 11 months and involved more than 100 cyber defenders from multiple government agencies.

Officials said the attackers gained unauthorized access to parts of telecom networks and, in one case, reached limited portions of critical systems. They said there were no service disruptions and no evidence customer data was accessed.

“There is no evidence to date that sensitive or personal data, such as customer records, was accessed or exfiltrated,” CSA said, adding there was also no indication telecommunications services were disrupted.

Authorities did not provide a detailed technical account of the attacks but said that in at least one case, the group exploited a previously unknown software vulnerability to gain access to internal systems. In another incident, the hackers used “advanced tools” to maintain persistent access and evade detection.

Singapore warned that telecommunications infrastructure remains a high-value target for advanced threat actors, including state-backed groups, because of its importance to national security and economic stability.

“We must be prepared for future attempts to gain access to our telco infrastructure,” CSA said.

The Chinese embassy in Singapore did not publicly respond to the latest disclosure. Beijing has repeatedly denied conducting cyber espionage operations abroad.

Security researchers have described China-linked UNC3886 as a “highly disciplined and stealthy” state-linked threat actor. Google has warned that the group targets strategic organizations globally and has linked it to campaigns deploying custom backdoors on network infrastructure, including Juniper routers. 

The group has also been associated with compromises involving Fortinet and VMware systems targeting defense, government, technology, and telecommunications organizations.

Singapore has previously faced intrusions that investigators, cited by Bloomberg, said were tied to Chinese advanced persistent threat groups. In 2024, Bloomberg said the China-linked Volt Typhoon group was believed to have breached Singtel, the country’s largest mobile carrier.