The Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) disclosed details of Operation Cyber Guardian, a large-scale, multi-agency cybersecurity operation launched to protect Singapore’s telecommunications sector from the advanced persistent threat actor UNC3886. Investigations over recent months found that UNC3886 carried out a deliberate, targeted, and well-planned campaign against the sector, with all four major operators, M1, SIMBA Telecom, Singtel, and StarHub, among those targeted.
The disclosure follows a warning issued by the agency last July, when UNC3886 was detected targeting Singapore’s critical infrastructure. At the time, further details were not released to preserve operational security. With deep capabilities, UNC3886 deployed advanced tools in its campaign to gain access to the telecom systems.
“The threat actor’s activities were initially detected by the telcos, who then notified IMDA and CSA of the breach. CSA, IMDA and other government agencies swiftly launched a coordinated whole-of-Government response, in partnership with the telcos to contain the breach,” CSA revealed in its Monday disclosure. “The operation, codenamed Operation CYBER GUARDIAN, is Singapore’s largest coordinated cyber incident response effort undertaken to date, spanning more than eleven months. Over 100 cyber defenders across agencies such as CSA, IMDA, the Centre for Strategic Infocomm Technologies (CSIT), the Digital and Intelligence Service (DIS), the Government Technology Agency of Singapore (GovTech) and the Internal Security Department (ISD) were involved in the operation.”
UNC3886 is a highly sophisticated advanced persistent threat actor first identified in 2022 by Mandiant and linked to Chinese-nexus espionage campaigns against defense, telecom, finance and critical infrastructure in the U.S., Asia and beyond. Throughout 2024 and into 2025, UNC3886 exploited zero-day vulnerabilities in widely used technologies, including Fortinet FortiOS, VMware vCenter and ESXi hypervisors, and Juniper Networks systems to establish stealthy, long-term access with custom malware and persistence tools.
In mid-2024, Mandiant uncovered multiple custom TINYSHELL-based backdoors deployed on Juniper Junos OS routers, revealing the group’s ability to maintain covert footholds on critical network infrastructure. By July 2025, industry alerts such as those from OT-ISAC warned that UNC3886 was actively exploiting zero-day flaws across Fortinet, VMware and Juniper platforms to target Singapore’s critical infrastructure, underscoring its broad strategic intent.
Under Operation Cyber Guardian, the authorities worked closely with the telecoms to limit UNC3886’s movement into the networks and ensure that the systems remain safe to use. So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere. To date, there is no evidence that sensitive or personal data, including customer records, were accessed or exfiltrated, and there is also no indication that the threat actor disrupted telecommunications services such as internet availability.
CSA said that the threat actor was able to gain unauthorised access into some parts of telco networks and systems. “In one instance, they used a zero-day exploit to bypass a perimeter firewall of our telcos and gained access into our telco networks. They also managed to exfiltrate a small amount of technical data; this is believed to be primarily network-related data to advance the threat actors’ operational objectives.”
In another instance, the threat actor utilized advanced tools and techniques such as rootkits to maintain persistent access and cover their tracks and evade detection. This made it challenging for cyber defenders to detect their presence, requiring the cyber defenders to conduct comprehensive security checks across the networks.
CSA also noted that cyber defenders have since implemented remediation measures, closed off UNC3886’s access points and expanded monitoring capabilities in the targeted telecoms. “The close partnership between the public and private sector in Operation CYBER GUARDIAN reflects our national doctrine of cyber defence, in which government agencies, as well as the private sector come together to collectively defend our cyber space. The doctrine also guides capability development across our cyber ecosystem, sets out the roles that different parties should play in cyber defence, and the actions that should be taken during a cyber incident. This coordinated approach is a key pillar of Singapore’s cyber security.”
Speaking at an engagement event for cyber defenders involved in Operation Cyber Guardian, Josephine Teo, Singapore’s minister for digital development and information and minister-in-charge of cybersecurity and smart nation group thanked the defenders for their contributions and called for continued vigilance.
In her address, she also highlighted the role played by critical infrastructure operators who are at the frontlines of the battle against cyber threat actors. She said, “Your actions, or inaction, can determine whether we succeed or fail in protecting our critical infrastructure, and our national security. I urge all of you to continue investing in upgrading your systems as well as your capabilities.”
In closing, Teo acknowledged the need for the government and critical infrastructure owners to work together as a team to effectively counter sophisticated adversaries and protect critical national assets.
CSA said that “While our collective efforts have contributed to containing the attacks so far, we must be prepared that there may be future attempts to gain access into our telco infrastructure. Telcos are strategic targets for threat actors, including state-sponsored ones. They play a foundational role in powering the digital economy and transmit vast amounts of information, including sensitive data. If threat actors succeed in attacking our telcos, they have the potential to undermine our national security and our economy.”
Noting that the Singapore government takes a serious view of the cyberattack against the telecoms, “CSA and IMDA have been working closely with our telcos to strengthen their cyber defences, enhance detection capabilities, and deploy active monitoring systems to maintain vigilance against new attempts by UNC3886 to re-enter their networks. Telcos have also been putting in place interventions including joint threat hunting, penetration testing, and levelling up of capabilities. CSA will also be progressively introducing initiatives to raise the level of capabilities across our cyber ecosystem, to enable better and more timely responses against cyber threats and to strengthen Singapore’s cyber defences.”
The CSA disclosure comes as Russia’s state-aligned cyber operations against European critical infrastructure have grown more pronounced and diversified, revealing an evolving strategic approach. Security authorities in Latvia highlight that hostile Russian cyber activity remains a major threat to industrial control systems throughout Europe and the West. These operations aim to disrupt vital services, create instability, and retaliate for political backing of Ukraine, with OT networks identified as especially at risk.
Analysts attribute destructive malware attacks on Poland’s electricity grid to the Sandworm APT, a group with a lengthy record of disruptive campaigns, including data‑wiping assaults that jeopardized energy sector communications in late 2025. At the same time, newly formed hacktivist collectives such as the self‑proclaimed ‘Russian Legion’ have publicly threatened large‑scale attacks against Denmark’s critical sectors, blending distributed denial‑of‑service (DDoS) assaults with political propaganda to coerce Western governments.
