China-Linked UNC3886 Targets Singapore Telecom Sector in Cyber Espionage Campaign

Sophisticated APT Campaign Revealed

The Cyber Security Agency (CSA) of Singapore has revealed that the China-nexus cyber espionage group known as UNC3886 targeted its telecommunications sector in a deliberate, targeted, and well-planned campaign.

All four of Singapore's major telecommunications operators have been the target of attacks:

- M1
- SIMBA Telecom
- Singtel
- StarHub

Advanced Threat Actor Profile

The disclosure comes more than six months after Singapore's Coordinating Minister for National Security, K. Shanmugam, accused UNC3886 of striking high-value strategic threat targets. UNC3886 is assessed to be active since at least 2022, targeting edge devices and virtualization technologies to obtain initial access.

CSA described UNC3886 as an advanced persistent threat (APT) with "deep capabilities."

Attack Methods and Tools

The threat actors deployed sophisticated tools to gain access into telco systems:

Zero-Day Exploitation: In one instance, attackers weaponized a zero-day exploit to bypass a perimeter firewall and siphon a small amount of technical data to further operational objectives

Rootkit Deployment: UNC3886 deployed rootkits to establish persistent access and conceal their tracks to fly under the radar

Critical Systems Access: Threat actors gained unauthorized access to some parts of telco networks and systems, including those deemed critical

Impact Assessment

While the incident was serious, CSA assessed that it was not severe enough to disrupt services. There is no evidence that the threat actor:

- Exfiltrated personal data such as customer records
- Cut off internet availability

Response Operation

CSA mounted a cyber operation dubbed CYBER GUARDIAN to counter the threat and limit the attackers' movement into telecom networks.

Cyber defenders have since:

- Implemented remediation measures
- Closed off UNC3886's access points
- Expanded monitoring capabilities in the targeted telcos

Connection to Fire Ant

In July 2025, Sygnia disclosed details of a long-term cyber espionage campaign attributed to a threat cluster it tracks as Fire Ant, which shares tooling and targeting overlaps with UNC3886. The adversary infiltrates organizations' VMware ESXi and vCenter environments as well as network appliances.

Source: The Hacker News: China-Linked UNC3886 Targets Singapore Telecom Sector in Cyber Espionage Campaign