The Singapore government on Monday announced a multi-agency security operation, codenamed Cyber Guardian, to clap back at threat actors that had been discovered attacking its telecommunications sector. 

The law enforcement operation comes seven months after Singapore publicly announced that threat actor UNC3886 had launched a targeted, well–planned campaign against all four of Singapore’s major telecom operators, M1, SIMBA Telecom, Singtel, and Starhub. Initially, further details about the attack weren’t revealed. However, on Monday, the Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) said the threat actor was able to gain access into parts of telecom networks and systems - including one instance where they gained limited access to critical systems (though they did not disrupt services).

“The threat actor’s activities were initially detected by the telcos, who then notified IMDA and CSA of the breach,” according to an announcement by the agencies on Monday. “CSA, IMDA and other government agencies swiftly launched a coordinated whole-of-Government response, in partnership with the telcos to contain the breach. The operation, codenamed Operation CYBER GUARDIAN, is Singapore’s largest coordinated cyber incident response effort undertaken to date, spanning more than eleven months.”

UNC3886 is a Chinese espionage group that’s been around since at least 2022. The group is known for targeting defense, tech, and telecom organizations across both the U.S. and Asia-Pacific-Japan regions.

The threat actor “deployed advanced tools in their campaign,” according to CSA, and used a zero-day exploit to bypass telecom firewalls and gain network access. The group was able to exfiltrate a “small amount” of technical, network-related data that could “advance the threat actor’s operational objectives.” There’s no evidence that personal data like customer records were accessed.  

CSA said that the government worked with the telecom organizations to curb UNC3886’s movement into the networks; implemented remediation measures; closed the threat actor access points; and increased monitoring capabilities in the targeted organizations.

UNC3886 has launched other damaging attacks over the years, including ones targeting virtualization technologies and network edge devices. In mid-2024, for instance, Mandiant researchers found that the group had deployed custom backdoors on Juniper Networks’ Junos OS routers.

“So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere,” according to CSA.

The security of the telecom sector has been a top concern for government officials worldwide as threat actors continue to launch espionage attacks against organizations in this space. The U.S. dealt with its own telecom incident in 2024 after it was discovered that Salt Typhoon hit more than eight companies, including AT&T, Verizon, and T-Mobile, in a widespread campaign that impacted U.S. government employee communications. 

”Telcos are strategic targets for threat actors, including state-sponsored ones,” according to the CSA announcement. “They play a foundational role in powering the digital economy and transmit vast amounts of information, including sensitive data. If threat actors succeed in attacking our telcos, they have the potential to undermine our national security and our economy.”

  • Recent Posts

  • Recent Comments

    No comments to show.