Singapore’s Cyber Security Forces Rally to Shut Down Chinese Espionage Group With Operation CYBER GUARDIAN

Multiple government agencies, including the Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA), have come together in a coordinated effort to expel a suspected China-backed espionage group targeting domestic companies in the telecommunications sector.

The campaign was prompted by cyber attacks on critical infrastructure by UNC3886, which reportedly was able to gain “limited” access to some of the nation’s telcos before being rebuffed. The operation successfully shored up defenses before the attackers were able to disrupt service or exfiltrate any sensitive data.

Chinese hacking team targeted all four of Singapore’s major telcos

The threat actor was first detected making attempts against critical infrastructure in July 2025, but the government operation and details about attempted intrusion were kept from the public eye for months in the interest of operational security. During this period the threat actors were launching attacks against all four of Singapore’s major telcos: M1, SIMBA Telecom, Singtel and StarHub.

Though the attackers did not end up doing any severe damage or stealing personal information, they deployed advanced methods and tools and did breach defenses in at least two instances. It is not made clear which telcos were involved with the successful attacks, but one had its perimeter firewall breached by a zero-day exploit and had a small amount of technical network data exfiltrated. Another apparently experienced persistent dwell time enabled by rootkits and other tools, though it is not clear if any type of data was successfully stolen during this time.

Timely response halted advances toward critical systems

Detection and reports of these incidents prompted a whole-of-government response involving over 100 personnel from over half a dozen agencies in total. This was sufficient to stop the attackers before they reached critical systems at any of the telcos, save for one at which they gained “limited access” but reportedly not enough to disrupt services.

This is a substantial victory against a formidable threat. UNC3886 has been observed in action since at least 2021 and has previously focused on critical infrastructure and high-value organizations in Singapore as well as the Asia Pacific region more generally. The group is expert at hiding itself once inside target networks and covering its exfiltration tracks, and regularly switches tools and creates its own custom malware to confound identification.

Ensuring MFA is in use on VPN and privileged Linux/ESXi SSH accounts can help to contain the group once it gets into a network, but it is difficult to anticipate given how often it seems to have zero-days at its disposal.

Attacks attributed to UNC3886 have been backdated as far as 2021, but the group was not detected until Mandiant profiled it in 2023. It has been involved in several campaigns that have seen it deploy zero-day vulnerabilities against FortiOS and VMware, and was also behind a 2024 campaign targeting Juniper MX routers that had reached end-of-life and were no longer receiving security updates. The incident calls to mind the separate case of the Salt Typhoon attacks against all of the major US telcos that began in 2024, but in this case earlier detection seems to have prevented things from going the same way.