S’pore mounts largest cybersecurity op against UNC3886, more than 100 cyberdefenders activated
Sign up now: Get ST's newsletters delivered to your inbox
Minister for Digital Development and Information Josephine Teo and CSA chief executive David Koh (right) viewing the technical demonstration at an engagement event for cyberdefenders on Feb 9.
ST PHOTO: CHONG JUN LIANG
SINGAPORE - More than 100 cyberdefenders from six government agencies and four local telcos are involved in the fight against cyberespionage group UNC3886
Operation Cyber Guardian was launched in March 2025, after the advanced persistent threat actor was discovered to have infiltrated telecommunications networks run by Singtel, StarHub, M1 and Simba Telecom,
Cybersecurity teams from six government agencies – CSA, IMDA, the Singapore Armed Forces’ Digital and Intelligence Service (DIS), Centre for Strategic Infocomm Technologies, Internal Security Department and Government Technology Agency of Singapore – are involved in the large-scale operation.
UNC3886 is such a challenging adversary partly due to its advanced tactics and ability to cover its tracks, said Mr Law Che Lin, lead cybersecurity consultant at CSA’s Cybersecurity Engineering Centre.
Likening the tactic to how a thief might wipe away his footprints and fingerprints after breaking into a house, Mr Law said: “This makes it hard to detect its activities in the network.”
He was speaking to the media on Feb 9 at CSA’s office in Punggol Digital District, where Minister for Digital Development and Information Josephine Teo publicly recognised the defenders for their efforts.
Mr Law has co-led purple teaming efforts – which involve a red team running simulated attacks and a blue team fending off the attacks. The attacks mimic the tactics used by UNC3886, which include removing logs and wiping clean any traces of activity.
“We work in an iterative fashion, by simulating attacks and allowing defenders to validate their built-in defences and refine them,” Mr Law said. “So if we do find any gaps, we also provide suggestions to remediate them.”
UNC3886 had gained initial access into telecommunications networks through a zero-day vulnerability – a hidden flaw with no known fix – at the perimeter firewall.
This is akin to finding a new key that no one else has found to unlock the doors, Mrs Teo explained on Feb 9.
Following the initial intrusion, UNC3886 was able to expand its presence using sophisticated malware, such as the Medusa rootkit, which can evade detection by bypassing commercial antivirus scanners, and conceal other malware such as keyloggers and viruses.
UNC3886 was also able to evade detection by deploying advanced techniques like altering system logs, leaving no trail.
The group built its own back doors, allowing its attackers to secretly access the compromised telecommunications networks without going through normal login security.
To stop the attackers, Singapore’s cyberdefenders have closed off access points and changed login credentials. This has prompted UNC3886 to switch tactics and lie low.
Though the attackers were able to access servers that manage and maintain internal telco systems, the data exfiltrated was primarily network-related. There is no evidence that sensitive or personal data such as customer records was accessed or exfiltrated.
Cyberdefenders involved in Operation Cyber Guardian included (from left) Mr Clifton Soh, manager of threat intelligence and response at IMDA; Mr Law Che Lin, lead cybersecurity consultant at CSA's Cybersecurity Engineering Centre and Military Expert 5 Eugene Tay, the team lead at the DIS’ Threat Hunting Centre, within the agency’s Cyber Protection Group.
ST PHOTO: CHONG JUN LIANG
Months of preparation were required to study the affected networks and identify signs of compromise, said Military Expert 5 Eugene Tay, team lead at the DIS’ Threat Hunting Centre, within the agency’s Cyber Protection Group.
“We combed through a large volume of data, which was time-consuming and required sustained focus by the team,” said ME5 Tay, who declined to reveal the size of his team due to operational sensitivities.
The amount of data was due to the number of telcos under attack, and the varied nature of the data that Singtel, StarHub, M1 and Simba handle.
“Despite the mentally exhausting process, my defenders remain highly focused and mission-oriented. The collective commitment of the team encourages everyone to push through the demands of the work, and we remain disciplined throughout the operation,” said ME5 Tay.
This experience also highlighted the importance of government collaboration, as cybersecurity is a team effort that requires the diverse skill sets of each defender.
“Mutual trust also helps us to better respond and address the cyberthreat more effectively,” said ME5 Tay.
