How did Singapore respond to the UNC3886 attack?

Singapore launched Operation Cyber Guardian, a coordinated effort involving over 100 personnel from various government agencies and the affected telecom providers, to contain and mitigate the threat posed by UNC3886.

Were any customer data compromised during the UNC3886 attack on Singapore's telecoms?

No, investigations revealed that while UNC3886 gained limited access to certain systems, there was no evidence of sensitive customer data being accessed or exfiltrated.

UNC3886's 2025 Cyber Attack on Singapore's Telecom Sector

Q: What is UNC3886?

UNC3886 is a Chinese state-sponsored cyber espionage group known for targeting critical infrastructure sectors, including telecommunications, using sophisticated techniques such as zero-day exploits and rootkits.

In July 2025, Singapore's major telecom providers faced a sophisticated cyber attack by the Chinese state-sponsored group UNC3886, prompting a large-scale coordinated response to safeguard critical infrastructure.

Published: February 18, 2026

Share this on:

Executive Summary

In July 2025, Singapore's four major telecommunications providers—Singtel, StarHub, M1, and SIMBA Telecom—were targeted by the Chinese state-sponsored cyber espionage group UNC3886. The attackers employed sophisticated techniques, including rootkits and zero-day exploits in firewalls, to gain unauthorized access to parts of the telecom networks. Despite these efforts, the intrusion did not disrupt services or result in the exfiltration of sensitive customer data. The Singaporean government, in collaboration with the affected telcos, launched Operation Cyber Guardian, a coordinated response involving over 100 personnel from various agencies, to contain and mitigate the threat. (channelnewsasia.com)

This incident underscores the persistent and evolving nature of cyber threats targeting critical infrastructure. The use of advanced tools and tactics by UNC3886 highlights the need for continuous vigilance and robust cybersecurity measures within the telecommunications sector to safeguard against potential future attacks.

Why This Matters Now

The attack on Singapore's telecom infrastructure by UNC3886 highlights the escalating sophistication of state-sponsored cyber threats targeting critical infrastructure. As cyber espionage groups continue to evolve their tactics, it is imperative for organizations to enhance their cybersecurity posture to prevent potential disruptions and data breaches.

Attack Path Analysis

UNC3886 exploited a zero-day vulnerability in a firewall to gain initial access to Singapore's major telecom networks. They deployed rootkits to maintain persistence and evade detection. The attackers moved laterally within the networks, accessing critical systems. They established command and control channels to exfiltrate a small amount of technical data. No significant data exfiltration or service disruption occurred. The impact was limited due to effective detection and response measures.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

High

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

UNC3886 exploited a zero-day vulnerability in a firewall to gain initial access to the telecom networks.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2022-41328
CVSS 7.1
A path traversal vulnerability in Fortinet FortiOS allows an attacker to read and write arbitrary files, potentially leading to code execution.
Affected Products:
Fortinet FortiOS – < 7.2.0
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-41328 https://www.fortiguard.com/psirt/FG-IR-22-377
CVE-2022-42475
CVSS 9.8
A heap-based buffer overflow vulnerability in Fortinet FortiOS SSL-VPN allows a remote unauthenticated attacker to execute arbitrary code via specially crafted requests.
Affected Products:
Fortinet FortiOS – < 7.2.3
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-42475 https://www.fortiguard.com/psirt/FG-IR-22-398
CVE-2022-22948
CVSS 6.5
An out-of-bounds write vulnerability in VMware vCenter Server allows a malicious actor with network access to execute arbitrary code.
Affected Products:
VMware vCenter Server – < 7.0.3
Exploit Status:
proof of concept
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-22948 https://www.vmware.com/security/advisories/VMSA-2022-0011.html
CVE-2023-20867
CVSS 3.9
An authentication bypass vulnerability in VMware Tools allows a malicious actor to execute privileged commands on the guest operating system.
Affected Products:
VMware VMware Tools – < 12.1.0
Exploit Status:
proof of concept
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-20867 https://www.vmware.com/security/advisories/VMSA-2023-0012.html
CVE-2023-34048
CVSS 9.8
An out-of-bounds write vulnerability in VMware vCenter Server allows a malicious actor with network access to execute arbitrary code.
Affected Products:
VMware vCenter Server – < 7.0.3
Exploit Status:
proof of concept
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-34048 https://www.vmware.com/security/advisories/VMSA-2023-0020.html

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; full STIX/TAXII enrichment to follow.

Initial Access

T1190

Exploit Public-Facing Application

Persistence

T1505.003

Server Software Component: Web Shell

Command and Control

T1071.001

Application Layer Protocol: Web Protocols

Command and Control

T1573.001

Encrypted Channel: Symmetric Cryptography

Discovery

T1082

System Information Discovery

Discovery

T1046

Network Service Discovery

Lateral Movement

T1021.001

Remote Services: Remote Desktop Protocol

Defense Evasion

T1562.001

Impair Defenses: Disable or Modify Tools

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

Control ID: 6.2

The exploitation of a zero-day vulnerability indicates a failure to protect system components from known and emerging threats, compromising the security of cardholder data.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests inadequacies in the cybersecurity policy, particularly in addressing advanced persistent threats and zero-day vulnerabilities, which are critical for protecting sensitive financial information.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights deficiencies in the ICT risk management framework, specifically in identifying and mitigating risks associated with zero-day exploits targeting critical infrastructure.

CISA ZTMM 2.0 – Identity Verification and Authentication

Control ID: Pillar 1: Identity

The attackers' ability to exploit vulnerabilities and maintain persistence indicates weaknesses in identity verification and authentication mechanisms, undermining the principles of zero trust.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident underscores the need for enhanced cybersecurity risk management measures to protect essential services from sophisticated cyber threats like zero-day attacks.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Telecommunications

Primary target of Chinese APT attacks requiring advanced encryption, zero trust segmentation, and threat detection capabilities to protect critical infrastructure communications.

Government Administration

High-value APT target requiring enhanced east-west traffic security, multicloud visibility, and egress policy enforcement to prevent state-sponsored lateral movement attacks.

Computer/Network Security

Must provide advanced threat detection, anomaly response, and cloud native security fabric solutions to defend against sophisticated zero-day APT campaigns.

Information Technology/IT

Critical need for Kubernetes security, encrypted traffic protection, and hybrid connectivity solutions to secure infrastructure against persistent state-sponsored threats.

Sources

Singapore & Its 4 Major Telcos Fend Off Chinese Hackershttps://www.darkreading.com/cyberattacks-data-breaches/singapore-major-telcos-fend-chinese-hackers
Verified

Largest Cyber Operation Mounted to Counter UNC3886's Threathttps://www.imda.gov.sg/resources/press-releases-factsheets-and-speeches/press-releases/2026/largest-cyber-operation-mounted-to-counter-unc3886-threat

Verified

S’pore’s four major telcos came under attack by cyber espionage group UNC3886https://www.straitstimes.com/tech/spores-four-major-telcos-came-under-attack-by-cyber-espionage-group-unc3886

Verified

Singapore: Rootkits, Zero-Day Used in Chinese Attack on Major Telecom Firmshttps://www.securityweek.com/singapore-rootkits-zero-day-used-in-chinese-attack-on-major-telecom-firms

Verified

Frequently Asked Questions

UNC3886 is a Chinese state-sponsored cyber espionage group known for targeting critical infrastructure sectors, including telecommunications, using sophisticated techniques such as zero-day exploits and rootkits.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: While initial access may still occur, CNSF would likely limit the attacker's ability to exploit the compromised firewall to further infiltrate the network.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: Zero Trust Segmentation would likely limit the attacker's ability to escalate privileges by enforcing strict access controls between workloads.

Lateral Movement

Control: East-West Traffic Security

Mitigation: East-West Traffic Security would likely reduce the attacker's ability to move laterally by monitoring and controlling internal traffic flows.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: Multicloud Visibility & Control would likely limit the attacker's ability to establish command and control channels by providing comprehensive monitoring across cloud environments.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate data by enforcing strict outbound traffic policies.

Impact (Mitigations)

The overall impact would likely be reduced, with constrained attacker outcomes and minimized risk to critical assets.

Impact at a Glance

Affected Business Functions

Network Operations
Customer Data Management
Service Provisioning

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Limited technical data related to network configurations was exfiltrated; no sensitive customer data was accessed.

Recommended Actions

• Implement inline intrusion prevention systems (IPS) to detect and block exploitation attempts of zero-day vulnerabilities.
• Deploy zero trust segmentation to limit lateral movement within the network.
• Enhance east-west traffic security to monitor and control internal communications.
• Establish multicloud visibility and control to detect and respond to anomalies across cloud environments.
• Enforce egress security and policy enforcement to prevent unauthorized data exfiltration.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

UNC3886's 2025 Cyber Attack on Singapore's Telecom Sector

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2022-41328

Affected Products:

Exploit Status:

References:

CVE-2022-42475

Affected Products:

Exploit Status:

References:

CVE-2022-22948

Affected Products:

Exploit Status:

References:

CVE-2023-20867

Affected Products:

Exploit Status:

References:

CVE-2023-34048

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Server Software Component: Web Shell

Application Layer Protocol: Web Protocols

Encrypted Channel: Symmetric Cryptography

System Information Discovery

Network Service Discovery

Remote Services: Remote Desktop Protocol

Impair Defenses: Disable or Modify Tools

Potential Compliance Exposure

PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity Verification and Authentication

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Telecommunications

Government Administration

Computer/Network Security

Information Technology/IT

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads