Singapore’s Cyber Security Agency (CSA) has confirmed that the country’s four telecom operators – Singtel, StarHub, M1 and Simba Telecom – were targeted in a cyber espionage campaign attributed to the UNC3886 threat group, highlighting the persistent risks facing national telecom infrastructure.
Attack scope and impact
The CSA said the attackers were able to penetrate parts of telecom systems and exfiltrate a limited volume of technical information. Authorities stressed that the intrusion did not disrupt telecom services and did not expose customer personal data.
The stolen information was described as primarily network-related technical data, likely intended to support the group’s operational objectives and enable deeper understanding of telecom infrastructure.
This disclosure marks the first time Singapore has publicly identified the telecom sector as a target of UNC3886. In July, the government had revealed it was responding to attacks from the same group against high-value strategic assets without naming affected sectors.
Attribution to UNC3886
Google-owned Mandiant has previously identified UNC3886 as a China-nexus cyber espionage group known for targeting defence, technology and telecommunications organisations in the United States and Asia.
Beijing has consistently denied allegations of cyber espionage and states that it opposes cyberattacks, while the Chinese Embassy in Singapore has not commented on the latest disclosure.
Telecom sector response
In a joint statement, Singtel, StarHub, M1 and Simba Telecom said telecom operators face a wide range of threats including DDoS, malware, phishing and advanced persistent threats.
The operators said they use defence-in-depth security architectures and conduct remediation when issues are detected. They also emphasised ongoing collaboration with government agencies and industry experts to strengthen network resilience.
Strategic implications for telecom infrastructure
The incident reinforces the telecom sector’s position as a high-value intelligence target. Access to network-related technical data can help threat actors map infrastructure, identify vulnerabilities and develop long-term espionage capabilities.