Singapore’s Cyber Security Agency (CSA) has confirmed that a China linked cyber espionage group known as UNC3886 carried out a coordinated and targeted campaign against the country’s telecommunications sector.
According to CSA, the operation was deliberate, highly organized, and carefully executed. All four major telecommunications providers in Singapore, M1, SIMBA Telecom, Singtel, and StarHub, were identified as targets during the campaign.
Background and Threat Actor Profile
The disclosure follows earlier public warnings issued more than six months ago by Singapore’s Coordinating Minister for National Security, K. Shanmugam, who stated that UNC3886 was involved in attacks against strategically significant and high value targets.
Security analysts assess UNC3886 to have been active since at least 2022. The group is known for targeting edge devices and virtualization platforms as a means of gaining initial access into enterprise environments.
In July 2025, cybersecurity firm Sygnia revealed details of a prolonged cyber espionage campaign attributed to a threat cluster it tracks as Fire Ant. Researchers noted strong overlaps in tooling and targeting between Fire Ant and UNC3886, particularly involving compromises of VMware ESXi, vCenter infrastructure, and network appliances.
Sophisticated Intrusion Techniques Observed
CSA described UNC3886 as an advanced persistent threat with deep technical capabilities. Investigations revealed that the attackers used sophisticated tooling to infiltrate telecommunications systems.
In one confirmed incident, the threat actor exploited a previously unknown vulnerability to bypass a perimeter firewall. This zero day exploit allowed the attackers to extract a limited amount of technical data, which was used to further their operational objectives. CSA did not disclose technical details of the vulnerability.
In another case, UNC3886 deployed rootkits to establish long term persistence while concealing malicious activity to avoid detection. The attackers were also found to have gained unauthorized access to certain segments of telecom networks, including parts classified as critical infrastructure.
Despite the severity of the intrusion, CSA stated that the attacks did not reach a level that would disrupt telecommunications services.
Defensive Operations and Impact Assessment
To counter the intrusion, CSA launched an extensive cyber defense effort known as Operation CYBER GUARDIAN. The operation ran for approximately 11 months and was designed to contain the threat, limit lateral movement, and protect sensitive telecom environments.
CSA emphasized that there is no evidence indicating that personal customer data was stolen or that internet connectivity was interrupted as a result of the attacks.
Following the operation, cyber defenders implemented remediation actions, removed the attackers’ access points, and enhanced monitoring and detection capabilities across the affected telecom providers.
Related Espionage Activity and Emerging Tradecraft
The Singapore telecom campaign coincides with the identification of a separate but related activity targeting European government institutions. Researchers observed coordinated exploitation of EPMM instances using CVE-2026-1281 and CVE-2026-1340.
Following exploitation, attackers uploaded a dormant payload designed to act as a future access mechanism. The loader’s role was to receive and execute a second Java class delivered over HTTP.
Investigators noted that the campaign deployed an in memory Java class loader at the path /mifs/403.jsp, an uncommon web shell location. The implant remains inactive unless triggered by a specific parameter, and no secondary exploitation has yet been observed.
Security researchers assess this behavior as consistent with initial access broker tactics, where attackers establish a foothold and retain or sell access for future operations.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
