Full Report
The Chinese threat actor tracked as UNC3886 breached Singapore's four largest telecommunication service providers, Singtel, StarHub, M1, and Simba, at least once last year. [...]
Analysis Summary
# Incident Report: UNC3886 Campaign Against Singaporean Telcos
## Executive Summary
The Chinese threat actor UNC3886 conducted a targeted and well-planned campaign against Singapore's four largest telecommunication providers (Singtel, StarHub, M1, and Simba) at least once in 2025. Threat actors used a zero-day exploit as an initial access vector and employed rootkits for stealthy persistence. While the attackers gained limited access to critical systems, no services were disrupted, and authorities confirmed no sensitive customer data was stolen, due to rapid, multi-agency response efforts.
## Incident Details
- **Discovery Date:** Indicators of suspicious activity reported throughout the investigation period (Disclosure occurred in July 2025).
- **Incident Date:** At least once in 2025.
- **Affected Organization:** Singtel, StarHub, M1, and Simba.
- **Sector:** Telecommunications.
- **Geography:** Singapore.
## Timeline of Events
### Initial Access
- **Date/Time:** Sometime in 2025 (Exact start unknown).
- **Vector:** Zero-day exploit.
- **Details:** Attackers used an unpatched vulnerability to bypass perimeter firewalls of at least one telecom entity.
### Lateral Movement
- Details are scarce, but the goal was to reach critical systems, although deep pivoting was reportedly blocked.
### Data Exfiltration/Impact
- **Details:** Technical data was stolen to further the adversary's objectives. Authorities confirmed no evidence suggested sensitive customer data was accessed or stolen, and service disruption did not occur.
### Detection & Response
- **Detection:** Suspicious activity was reported by the telcos to the Cyber Security Agency (CSA) and Infocomm Media Development Authority (IMDA).
- **Response:** Singapore launched 'Operation Cyber Guardian,' engaging over a hundred investigators from six government agencies. The response immediately contained the compromise and closed access points.
## Attack Methodology
- **Initial Access:** Zero-day exploit used to bypass perimeter firewalls.
- **Persistence:** Attackers utilized rootkits to maintain stealth and persistence for an unknown duration.
- **Privilege Escalation:** Not explicitly stated, but likely part of the process to reach critical systems.
- **Defense Evasion:** The use of rootkits suggests techniques focused on remaining stealthy on compromised hosts.
- **Credential Access:** Not explicitly stated.
- **Discovery:** Not explicitly stated, but necessary to identify technical data targets.
- **Lateral Movement:** Used to move from the point of initial breach toward critical systems.
- **Collection:** Technical data related to the telcos' operations was collected.
- **Exfiltration:** Technical data was exfiltrated.
- **Impact:** Limited access to critical systems achieved; no service disruption or customer data compromise.
## Impact Assessment
- **Financial:** Not disclosed; remediation costs likely incurred by government agencies and telcos.
- **Data Breach:** Technical data stolen; *No sensitive customer data accessed or stolen.*
- **Operational:** No reported service disruption to the public.
- **Reputational:** Potential reputational damage mitigated by swift multi-agency response claiming early containment.
## Indicators of Compromise
- **Network indicators:** Not disclosed by authorities in the summary.
- **File indicators:** Rootkit artifacts (specific file hashes suppressed).
- **Behavioral indicators:** Techniques related to zero-day exploitation and rootkit deployment.
## Response Actions
- **Containment measures:** Immediate containment of the compromise; access points were closed.
- **Eradication steps:** Steps taken to remove rootkits and backdoors (implied).
- **Recovery actions:** Expanded monitoring deployed across other critical infrastructure (banking, transport, healthcare) to block potential lateral pivoting.
## Lessons Learned
- The targeted, well-planned nature of the campaign highlights persistent threat from sophisticated state-sponsored actors focused on national telecom infrastructure.
- Immediate, coordinated multi-agency response (Operation Cyber Guardian) was effective in preventing deeper compromise and service disruption.
- Reliance on zero-day exploits underscores vulnerabilities even in perimeter defenses (firewalls).
## Recommendations
- Conduct immediate and thorough vulnerability assessments focusing on perimeter defense components (especially firewall appliances) for zero-day exploitation vectors.
- Enhance detection capabilities targeting rootkit activity and stealthy post-exploitation techniques within network environments.
- Maintain heightened defensive posture and cross-sector monitoring (especially between telco and adjacent critical infrastructure) following successful initial intrusions elsewhere.