The Singapore government disrupted cyber-attacks attributed to Chinese-nexus cyber threat group UNC3886 which targeted the country’s four telecommunications operators.

The law enforcement operation, dubbed Operation Cyber Guardian, spanned from the summer of 2025 to early 2026 but remained secret until now.

The Cyber Security Agency of Singapore (CSA) revealed what happened in a report published on February 9, 2026.

Singapore’s Largest Anti-Cyber Threat Initiative

On July 18, 2025, K Shanmugam, Singapore’s Coordinating Minister for National Security, warned that UNC3886, an advanced persistent threat (APT) group associated to the Chinese regime, had been conducting cyber-attacks against the country’s critical infrastructure.

Details of the attacks remained secret at the time to preserve Singapore’s national security.

In its latest report, CSA shared that the four telcos detected intrusions and notified CSA and the Infocomm Media Development Authority (IMDA) of the breach. The two government agencies then quickly brought together a taskforce of over 100 cyber defenders across six agencies to help the telcos mitigate the threat.

Aside from the CSA and IMDA, entities involved in Operation Cyber Guardian included the Centre for Strategic Infocomm Technologies (CSIT), the Digital and Intelligence Service (DIS), the Government Technology Agency of Singapore (GovTech) and the Internal Security Department (ISD).

CSA explained that Operation Cyber Guardian spanned 11 months and was the largest and longest-running anti-cyber threat effort in the country’s history.

Inside UNC3886’s Cyber-Attack Against Singaporean Telcos

The investigations have indicated that UNC3886 had launched a deliberate, targeted and well-planned campaign against Singapore’s telecommunications companies which included M1, SIMBA Telecom, Singtel and StarHub.

In one instance, the hacking group used a zero-day exploit to bypass a perimeter firewall installed at the target companies and gained access into one of the victims’ networks. They also managed to exfiltrate a small amount of technical data, likely network-related data to advance the threat actors’ operational objectives.

In another instance, UNC3886 used advanced tools like rootkits to maintain persistent access, cover its tracks and evade detection.

“This made it challenging for cyber defenders to detect the actor’s presence, requiring the cyber defenders to conduct comprehensive security checks across the networks,” CSA wrote.

The law enforcement effort was successful, since the UNC3886 attack “has not resulted in the same extent of damage as cyber-attacks elsewhere.” CSA wrote.

The threat actor was able to gain unauthorised access into some parts of telco networks and systems but CSA stated that it found no evidence that the threat actor managed to disrupt telecommunications services or that sensitive or personal data were accessed or exfiltrated.

The operation’s cyber defenders have since implemented remediation measures, closed off UNC3886’s access points and expanded monitoring capabilities in the targeted telcos.

However, CSA said the telcos must “maintain vigilance against new attempts by UNC3886 to re-enter their networks.”

Josephine Teo, Singapore’s Minister-in-charge of Cybersecurity, highlighted the important role played by critical infrastructure operators. “Your actions, or inaction, can determine whether we succeed or fail in protecting our critical infrastructure, and our national security. I urge all of you to continue investing in upgrading your systems as well as your capabilities,” she said.