Singapore telcos breached in China-linked cyber espionage campaign

Singapore’s four major telecommunications companies were hit by a coordinated cyber espionage campaign last year, the country’s Cyber Security Agency (CSA) has revealed.

An advanced persistent threat group known as UNC3886 has probed deep into the networks of M1, SIMBA Telecom, Singtel, and StarHub, spurring Singapore’s security agencies to mount a large cyber defence operation.

“Under Operation Cyber Guardian, the authorities worked closely with the telcos to limit UNC3886’s movement into the networks and ensure our systems remain safe to use. So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere,” the CSA .

The intrusions

Singapore’s investigation indicates the group used advanced hacking tools, including at least one previously unknown software flaw (i.e., zero-day) to bypass a firewall and slip inside telecom systems.

In some cases, the intruders exfiltrated small amounts of technical data (mostly related to how networks were set up) and used rootkits to maintain hidden access.

These discoveries align with previously mapped tactics, techniques, and procedures (TTPs) associated with UNC3886.

Hundreds of defenders across several government agencies spent more than eleven months trying to kick out the intruders and secure the systems. The operation brought together cyber experts from CSA, IMDA, the Centre for Strategic Infocomm Technologies, the Digital and Intelligence Service, GovTech and the Internal Security Department. 

The intrusion didn’t disrupt mobile or internet services, and there’s also no indication that customer records or other personal data were taken. Most of the access the attackers gained was limited, and defenders were able to close off their entry points and boost monitoring where needed, the CSA claims.

The experience has pushed the public and private sectors in Singapore to tighten their cyber teamwork. Government officials say the coordinated approach taken in Operation Cyber Guardian reflects a broader national doctrine: when critical infrastructure is threatened, organizations share information and defensive work to stop attackers. 

About UNC3886

UNC3886 is believed to be a China-nexus cyber espionage group. Singapore’s authorities haven’t publicly named any country behind the group, though some external security firms link UNC3886 to state actors. 

Independent cybersecurity researchers say the group has been active globally for years and has hit organizations in sectors such as defense, technology and telecommunications.

The group’s targeting of telcos bears resemblance to previous attack campaigns pinned on the China-backed Salt Typhoon APT: the hacks of US and Canadian telcos.

In related news, the Norwegian Police Security Service’s recently revealed that Salt Typhoon has compromised vulnerable network devices in Norwegian organizations.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!