Four of Singapore’s primary telco operators: M1, Starhub, Singtel and Simba were targeted in a cyberattack carried out by UNC3886, described as a “China-nexus espionage group”, according to CNA.

On 9 February 2026, the Minister for Digital Development and Information, Josephine Teo, confirmed that while the attackers breached a few critical systems in one occurrence, the attack was contained before it could disrupt services.

There is currently no evidence of sensitive customer data being stolen.

Operation Cyber Guardian Mobilised 100+ Specialists

The discovery of the breach triggered Operation Cyber Guardian, the largest coordinated cybersecurity operation in Singapore’s history.

The response involved 100+ specialists from six government agencies, including the Centre for Strategic Infocomm Technologies (CSIT), the Singapore Armed Forces Digital and Intelligence Service, the Internal Security Department and GovTech.

“We have been working on this and practising our plans for several years, but this is the first time that we have implemented the plan in an actual operation.”

The response began after the telcos reported suspicious activities from their networks to the Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA).

The coordinated response managed to subdue the attackers’ activities, Minister Teo shared during an event thanking the defenders.

What is UNC3886?

UNC3886 is described as a China-linked cyber-espionage group, first identified in 2022 by Mandiant, a cybersecurity firm.

According to the Straits Times, UNC is the short-term for “uncategorised” or “unclassified”. It was first disclosed in July 2025, when the Coordinating Minister for National Security K Shanmugam shared that Singapore was dealing with a threat actor that was attacking its critical infrastructure.

UNC3886 poses a critical danger to Singapore as it functions as an advanced persistent threat actor. It deployed various techniques.

In one event, UNC3996 used a zero-day exploit that is known to make use of previously unknown software vulnerabilities that has no available security patch.

In another occurrence, it deployed rootkits, which are stealthy software that hides its presence and also conceals other malware like key-loggers and viruses. In doing so, it also enables admin-level accesses while disabling security features like anti-virus software.

It has also employed technical data exfiltration. In this method, the group “managed to exfiltrate network-related tech data to help map out its operational objectives”.

Minister Teo divulged that the implications of the attack extended beyond telcos. She warned that the country must be prepared in the event other essential services like banking, transport and water systems are targeted.

Telcos Work With Government on Defence

In a joint statement, all four telcos emphasised their “defence-in-depth” strategy, noting that the are collaborating closely with the government to safeguard their networks and enable prompt remediation where vulnerabilities were identified.

Despite the successful containment of the UNC3886 cyberattack in Singapore, authorities cautioned that the threat landscape is evolving rapidly, with Advanced Persistent Threat (APT) activity in Singapore rising by four folds between 2021 and 2024.

Feature image edited by Fintech News Singapore based on image by mohammadhridoy_11 on Freepik