For 11 months, Singapore's Cyber Security Agency (CSA) and four major telecommunications providers coordinated a defense operation to identify and remove a China-linked threat actor from their networks. The initiative successfully neutralized the unauthorized access before the actors could disrupt communications or internet services.
The operation, designated Cyber Guardian, utilized over 100 incident responders from multiple government agencies and the affected providers—M1, Simba Telecom, Singtel, and StarHub. According to the incident report published by the CSA, the threat group, identified as UNC3886, employed sophisticated methodology. This included the use of a zero-day vulnerability to bypass perimeter firewalls and the deployment of rootkits to establish persistence within the network infrastructure.
Investigations by the CSA and the Infocomm Media Development Authority (IMDA) confirmed that while the actors gained unauthorized access to critical systems, they were unable to leverage this position to cause service disruptions. Furthermore, authorities found no evidence that personal data was accessed or exfiltrated during the incident.
The CSA described the activity as a deliberate and targeted campaign against the sector. The telecommunications providers initially detected the anomalies and notified the IMDA and CSA, initiating the joint response.
This incident aligns with a broader pattern of activity targeting critical infrastructure and telecommunications globally. In the United States, nearly a dozen telecommunications and networking firms—including Verizon, T-Mobile, and AT&T—have identified indicators of compromise linked to Salt Typhoon. This group also maintained unauthorized access to certain U.S. National Guard systems for nearly a year and targeted Canadian telecommunications infrastructure.
While U.S. security agencies issued warnings regarding this global espionage activity last August, reports indicate that diplomatic and trade considerations have influenced the international response regarding sanctions.
Critical Infrastructure Defense
The campaign against Singapore's telecommunications sector demonstrated high sophistication and targeted critical information infrastructure (CII), according to Lim May-Ann, executive director for the Coalition for Cybersecurity in Asia Pacific (CCAPAC).
"The attack was very well-planned," she says. "APTs are systemic attacks, and the fact that this was... on Singapore's CII meant that the target was strategically identified as a critically important sector to attack [and] that this was a well-thought out operation."
Singaporean authorities collaborated closely with the telecommunications firms to restrict UNC3886's lateral movement and access. The CSA report indicates this containment strategy was largely successful.
Agnidipta Sarkar, chief evangelist at ColorTokens, notes that the incident demonstrates the efficacy of strong public-private partnerships. He observes that services remained unaffected due to effective containment and resilience measures. He adds that the coordination, transparent attribution, and proactive hardening demonstrate a commitment to collaborative cyber defense.
Collin Hogue-Spears, a senior director of solution management at Black Duck, suggests the incident highlights China’s developing expertise in compromising critical infrastructure. He notes that the actors spent 11 months inside four national carriers collecting network blueprints, rather than stealing customer records or demanding ransom.
The Value of Intelligence Sharing
The collaborative effort illustrates that intelligence sharing is effective when information and infrastructure are responsive to threats. Trey Ford, chief strategy and trust officer at Bugcrowd, points out that the close relationship between the government and private industry in Singapore strengthened the response. He notes that while public-private partnerships are often discussed in the U.S. and EU, defenders frequently lack actionable intelligence flowing back to the private sector.
The CSA incident report emphasizes the ongoing risk state-sponsored actors pose to critical infrastructure. The agency stated that while collective efforts contained the immediate threat, the sector must prepare for future attempts. Telecommunications providers remain strategic targets due to their foundational role in the digital economy and the sensitive data they transmit.
Lim notes that naming the specific group responsible signals transparency in Singapore's approach to cybersecurity. It demonstrates that defenses are operational and show the shared responsibility between critical infrastructure operators and the public sector to safeguard national interests.