UNC3886’s attempts are known to be persistent, with the intention of intelligence gathering and long-term spying
[SINGAPORE] Singapore’s telecommunications infrastructure has come under attack from cyber espionage group UNC3886.
All four of the country’s major telcos – Singtel, StarHub, M1 and Simba Telecom – were targeted, Singapore’s Minister for Digital Development and Information Josephine Teo revealed on Feb 9.
UNC3886 is a state-linked advanced persistent threat (APT) actor and poses a menace to national security in many countries, including Singapore.
Even though no sensitive data was seen or exfiltrated, Teo said that the attacks cannot be taken lightly.
“They could deploy more tools to disrupt telecoms and internet services. Everything that requires a phone or internet connection would then be affected,” said Teo, who is also Minister-in-charge of Cybersecurity and Smart Nation in Singapore.
“The knock-on effects of their campaign could also have included other essential services like banking and finance, transport, and medical services,” she added. “Successful cyberattacks can also affect trust and confidence in Singapore as a whole, and our economic security.”
Navigate Asia in
a new global order
Get the insights delivered to your inbox.
Singapore’s 11 critical services sectors are aviation, healthcare, land transport, maritime, media, security and emergency services, water, banking and finance, energy, infocommunications, and government.
What is UNC3886? Are essential services in Singapore safe from the attack? The Straits Times sheds light on the attack and APTs.
1. What is UNC3886?
First detected in 2022 by cyber security firm Mandiant, UNC3886 is a China-linked cyber espionage group.
UNC3886’s attempts are known to be persistent, with the intention of intelligence gathering and long-term spying.
The “UNC” label stands for “uncategorised” or “unclassified”, as industry analysts have not formally classified it. But that does not mean that it is any less of a threat.
“Like other APTs, UNC3886 also used advanced techniques to cover their tracks and evade detection. This made it a bigger concern,” said Teo.
2. How does UNC3886 operate?
Cyber security experts have described UNC3886 as highly adept. It is known to be sophisticated and evasive.
The Chinese espionage group is known to target network devices, virtualisation systems and critical information infrastructure with zero-day exploits, which are attacks that exploit vulnerabilities in software that vendors have yet to discover and develop patches for.
Unpatched vulnerabilities in the software of network devices, hypervisors and virtual machines are typically harder to monitor.
UNC3886 also employs custom malware and tools already available on the victim’s system to evade detection. Like other APT attackers, UNC3886 is persistent – even if detected and removed from the network, it will attempt to re-enter.
3. What cyber attacks has UNC3886 been responsible for?
UNC3886 is known to have attacked organisations in the US, Europe and parts of Asia, targeting critical sectors such as government, telecoms, technology, aerospace, defence, energy, and utility.
The group has exploited vulnerabilities in routers from Juniper Networks, network security devices from Fortinet, and virtual machines from VMware.
4. Are essential services in Singapore safe from the attack?
On July 18, the Cyber Security Agency of Singapore (CSA) said UNC3886’s activities have been detected in parts of Singapore’s critical information infrastructure that power essential services.
On Feb 9, CSA and the Infocomm Media Development Authority (IMDA) revealed that Singtel, StarHub, M1 and Simba Telecom came under attack.
“Once it gained entry, UNC3886 also managed to steal a small amount of technical data,” said Teo.
IMDA and CSA said that the most sensitive and critical systems such as 5G networks were locked away separately, and were not compromised.
Even though no sensitive data was seen or exfiltrated, Teo said that the attacks cannot be taken lightly.
Damages caused by compromised telco infrastructure could be devastating.
In April 2025, the SIM data of nearly 27 million users were exposed after South Korean telco SK Telecom was attacked. Also in 2025, authorities in the United States reported that APT group Salt Typhoon had infiltrated a large number of US telecommunications providers and may have obtained sensitive military or law enforcement information.
Teo said: “So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere. This is not a reason to celebrate. Rather it is to remind ourselves that the work of cyber defenders matter. We depend on their vigilance and hard work to keep Singaporeans safe.”
5. What other APT attacks have hit Singapore?
In 2014, the authorities detected a security breach in the Ministry of Foreign Affairs’ technology systems. Steps were taken to isolate the affected devices and strengthen the networks.
In what was the first sophisticated attack against universities here, the National University of Singapore and Nanyang Technological University discovered intrusions in their networks in 2017.
No classified data or student personal data was stolen, but the attackers were believed to have targeted the two institutions to steal government and research data. The universities were involved in government-linked projects for the defence, foreign affairs and transport sectors.
Then in 2018, Singapore experienced its worst data breach involving the personal particulars of 1.5 million patients, including then Prime Minister Lee Hsien Loong.
The attacker in the SingHealth breach was said to have been persistent in its efforts to penetrate the network, bypass the security measures and illegally access and exfiltrate data.
The attacker is believed to have lurked in the healthcare group’s network for at least nine months. Its mission: to access SingHealth’s electronic medical records system – which is part of the critical information infrastructure in Singapore.
Most recently, in 2024, about 2,700 devices in Singapore were discovered to have been infected after CSA took part in a cyber operation against a global botnet.
APT hackers behind the botnet exploited poor cyber hygiene practices to infect devices, including baby monitors and internet routers. No critical information infrastructure was affected by the attack. THE STRAITS TIMES
Decoding Asia newsletter: your guide to navigating Asia in a new global order. Sign up here to get Decoding Asia newsletter. Delivered to your inbox. Free.
