What is UNC3886, the group that attacked Singapore’s telco infrastructure?
Sign up now: Get ST's newsletters delivered to your inbox
All four of the country’s major telcos – Singtel, StarHub, M1 and Simba Telecom – were targeted, Singapore’s Minister for Digital Development and Information Josephine Teo revealed on Feb 9.
PHOTO: ST FILE
SINGAPORE - Singapore’s telecommunications infrastructure has come under attack from cyberespionage group UNC3886.
All four of the country’s major telcos – Singtel, StarHub, M1 and Simba Telecom – were targeted,
UNC3886 is a state-linked advanced persistent threat (APT) actor and poses a menace to national security in many countries, including Singapore.
Even though no sensitive data was seen or exfiltrated, Mrs Teo said the attacks cannot be taken lightly.
“They could deploy more tools to disrupt telecoms and internet services. Everything that requires a phone or internet connection would then be affected,” said Mrs Teo, who is also Minister-in-charge of Cybersecurity and Smart Nation Group.
“The knock-on effects of their campaign could also have included other essential services like banking and finance, transport and medical services,” she added. “Successful cyberattacks can also affect trust and confidence in Singapore as a whole, and our economic security.”
Singapore’s 11 critical services sectors are aviation, healthcare, land transport, maritime, media, security and emergency services, water, banking and finance, energy, infocommunications, and government.
What is UNC3886? Are essential services in Singapore safe from the attack? The Straits Times sheds light on the attack and APTs.
1. What is UNC3886?
First detected in 2022 by cybersecurity firm Mandiant, UNC3886 is a China-linked cyberespionage group.
UNC3886’s attempts are known to be persistent, with the intention of intelligence gathering and long-term spying.
The “UNC” label stands for “uncategorised” or “unclassified”, as industry analysts have not formally classified it. But that does not mean it is any less of a threat.
“Like other APTs, UNC3886 also used advanced techniques to cover its tracks and evade detection. This made it a bigger concern,” said Mrs Teo.
2. How does UNC3886 operate?
Cybersecurity experts have described UNC3886 as highly adept. It is known to be sophisticated and evasive.
The Chinese espionage group is known to target network devices, virtualisation systems and critical information infrastructure with zero-day exploits, which are attacks that exploit vulnerabilities in software that vendors have yet to discover and develop patches for.
Unpatched vulnerabilities in the software of network devices, hypervisors and virtual machines are typically harder to monitor.
UNC3886 also employs custom malware and tools already available on the victim’s system to evade detection. Like other APT attackers, UNC3886 is persistent – even if detected and removed from the network, it will attempt to re-enter.
3. What cyberattacks has UNC3886 been responsible for?
UNC3886 is known to have attacked organisations in the US, Europe and parts of Asia, targeting critical sectors such as government, telecoms, technology, aerospace, defence, energy and utility.
The group has exploited vulnerabilities in routers from Juniper Networks, network security devices from Fortinet, and virtual machines from VMware.
Minister for Digital Development and Information Josephine Teo viewing a technical demonstration during an engagement event for cyberdefenders on Feb 9.
ST PHOTO: CHONG JUN LIANG
4. Are essential services in Singapore safe from the attack?
On July 18, 2025, the Cyber Security Agency of Singapore (CSA) said UNC3886’s activities have been detected in parts of Singapore’s critical information infrastructure that power essential services.
On Feb 9, CSA and the Infocomm Media Development Authority (IMDA) revealed that Singtel, StarHub, M1 and Simba Telecom had come under attack.
“Once it gained entry, UNC3886 also managed to steal a small amount of technical data,” said Mrs Teo.
IMDA and CSA said the most sensitive and critical systems such as 5G networks were locked away separately, and were not compromised.
Even though no sensitive data was seen or exfiltrated, Mrs Teo said the attacks cannot be taken lightly.
The damage caused by compromised telco infrastructure could be devastating.
In April 2025, the SIM data of nearly 27 million users were exposed after South Korean telco SK Telecom was attacked. Also in 2025, the authorities in the United States reported that APT group Salt Typhoon had infiltrated a large number of US telco providers and may have obtained sensitive military or law enforcement information.
Mrs Teo said: “So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere. This is not a reason to celebrate. Rather, it is to remind ourselves that the work of cyberdefenders matters. We depend on their vigilance and hard work to keep Singaporeans safe.”
5. What other APT attacks have hit Singapore?
In 2014, the authorities detected a security breach in the Ministry of Foreign Affairs’ technology systems. Steps were taken to isolate the affected devices and strengthen the networks.
In what was the first sophisticated attack against universities here, the National University of Singapore and Nanyang Technological University discovered intrusions in their networks in 2017.
No classified data or student personal data was stolen, but the attackers were believed to have targeted the two institutions to steal government and research data. The universities were involved in government-linked projects for the defence, foreign affairs and transport sectors.
Then in 2018, Singapore experienced its worst data breach involving the personal particulars of 1.5 million patients
The attacker in the SingHealth breach was said to have been persistent in its efforts to penetrate the network, bypass security measures, and illegally access and exfiltrate data.
The attacker is believed to have lurked in the healthcare group’s network for at least nine months. Its mission: to access SingHealth’s electronic medical records system – which is part of the critical information infrastructure in Singapore.
Most recently, in 2024, about 2,700 devices in Singapore were discovered to have been infected after CSA took part in a cyberoperation against a global botnet.
APT hackers behind the botnet exploited poor cyberhygiene practices to infect devices, including baby monitors and internet routers. No critical information infrastructure was affected by the attack.
