Singapore telecommunications — UNC3886 espionage

In February 2026 the Cyber Security Agency of Singapore disclosed that the China-linked espionage group UNC3886 had achieved persistent rootkit-level access across all four of Singapore’s major telecommunications providers — M1, SIMBA Telecom, Singtel and StarHub — in a campaign the agency described as the largest coordinated counter-intrusion in Singapore’s history. The disclosure came at the close of an eleven-month operation codenamed CYBER GUARDIAN, run jointly by CSA, the Infocomm Media Development Authority, the Centre for Strategic Infocomm Technologies, the Digital and Intelligence Service, GovTech and the Internal Security Department. More than a hundred defenders were involved at peak.

The intrusion mechanism, as the CSA described it in the public press release and as Mandiant elaborated in a companion analysis, fits the established UNC3886 pattern. In at least one of the four affected telcos, the threat actor used a zero-day exploit against a perimeter firewall to gain initial network access. UNC3886’s documented track record over the past four years spans Fortinet FortiOS, VMware vCenter and ESXi, and Juniper Networks Junos OS — perimeter and virtualisation infrastructure that is unusually rich in undisclosed vulnerabilities and unusually thinly monitored once exploited. CSA did not name the specific affected vendor or CVE in its public statement. Mandiant’s published research on UNC3886’s contemporaneous targeting of Juniper routers is the closest the public record comes to a corroborating technical attribution.

Once inside, the attackers used rootkits to maintain persistence and to evade the host- and network-level detection the affected operators had deployed. UNC3886’s rootkit families — including the publicly named REPTILE and MEDUSA implants documented by Mandiant — operate at a level of the operating system below the visibility of most endpoint detection products. They survive routine reboots and patches, conceal their own files and processes from administrative tooling, and proxy command-and-control traffic through legitimate management protocols. The rootkit choice is the explanation for the eleven-month eviction timeline. Once a rootkit of this class is established, removal cannot be performed in place; affected systems have to be rebuilt from a known-clean baseline, and every system the rootkit has been observed to touch has to be assumed compromised pending forensic confirmation.

The data taxonomy is, on the public record, narrow. CSA stated explicitly that there was no evidence of customer-record or personal-data exfiltration, and no evidence of service disruption. UNC3886 did, however, exfiltrate “a small amount of technical data” the agency assessed as primarily network-related — almost certainly routing tables, peering configurations, lawful-intercept system documentation, and the kind of internal infrastructure topology that lets an attacker understand how a target carrier’s traffic flows and where the choke points are. The framing the CSA used in its public statement — that the data exfiltrated was intended “to advance the threat actors’ operational objectives” — is the diplomatic phrasing for “pre-positioning.”

That phrasing is also the right way to read the campaign. UNC3886 is not, on any serious reading of its history, an extortion group, a data-trader or a hacktivist alias. It is a state-aligned intelligence-collection unit whose operational pattern matches the pre-positioning playbook visible in Volt Typhoon and Salt Typhoon. The Singapore campaign is the third major worked example of that pattern in eighteen months: covert, long-duration access to telecommunications infrastructure, no immediate disruption, no public extortion, no commercial monetisation, just deeply hidden persistence and a slow accumulation of network-shape intelligence. Singapore is not the operationally-significant target Volt and Salt are. The strategic value of access at this scale, in a country that hosts a substantial volume of regional internet exchange and lawful-intercept traffic, is the point.

For UK and European telecoms operators the read-across is the eviction cost rather than the intrusion mechanism. Patching a perimeter firewall zero-day is a routine well-rehearsed exercise. Rebuilding a national-carrier-scale infrastructure environment to evict a rootkit cluster, with sufficient confidence to declare the environment clean, is not. The Singapore operation took eleven months with the resources of half a national security state. Most commercial operators would not be able to mount a comparable response, and the option of “tolerate the persistence and contain the blast radius” is not a credible posture for a regulated carrier. The implicit policy lesson — and the one the CSA disclosure is plainly designed to put on the record — is that perimeter-firewall and virtualisation-layer telemetry are now critical national infrastructure in their own right, and the evidentiary baseline for declaring a carrier environment clean has to extend down into the firmware and hypervisor stack. Most current network-detection programmes do not.

Singapore is unusual in being able to mount a response of this scale. The campaign is not unusual at all.