Singapore says China-backed hackers targeted its four largest phone companies

Source: TechCrunch

Background

Singapore’s government has blamed a known Chinese cyber‑espionage group, UNC3886, for targeting the country’s four largest telecommunications companies—Singtel, StarHub, M1, and Simba Telecom—as part of a months‑long attack.

Details of the Attack

• The hackers breached and accessed some systems but did not disrupt services or obtain personal information, according to K. Shanmugam, Singapore’s coordinating minister for national security.
• The group used advanced tools, such as rootkits, to gain long‑term persistence. In one instance they obtained limited access to critical systems but were unable to disrupt services.

Government and Industry Response

• Singapore confirmed the threat in a statement released on Monday: Press release.
• The telcos issued a joint statement saying they regularly face distributed denial‑of‑service (DDoS) and other malware attacks and that they “adopt defence‑in‑depth mechanisms to protect our networks and conduct prompt remediation when any issues are detected.”

Context and Related Threats

• Google‑owned cybersecurity unit Mandiant has linked UNC3886 to Chinese state‑backed espionage activities.
• UNC3886 is known for exploiting zero‑day vulnerabilities in routers, firewalls, and virtualized environments, targeting defense, technology, and telecom sectors across the U.S. and the Asia‑Pacific region.
• The attacks on Singapore’s telcos are distinct from the broader “Salt Typhoon” campaign that has affected hundreds of telecom companies worldwide, including incidents in the United States and Norway.

References

• Singapore government statement: https://www.csa.gov.sg/news-events/press-releases/largest-multi-agency-cyber-operation-mounted-to-counter-threat-posed-by-advanced-persistent-threat—apt—actor-unc3886-to-singapore-s-telecommunications-sector/
• Mandiant analysis of UNC3886: https://cloud.google.com/blog/topics/threat-intelligence/chinese-vmware-exploitation-since-2021/
• Reuters report on the Singapore incident: https://www.reuters.com/sustainability/boards-policy-regulation/singapore-says-cyber-espionage-group-targeted-telco-infrastructure-2026-02-09/
• Zero‑day vulnerability overview: https://techcrunch.com/2025/04/25/techcrunch-reference-guide-to-security-terminology/#zero-day
• UNC3886 targeting of defense and telecom sectors: https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass
• Salt Typhoon attacks in the United States: https://techcrunch.com/2025/08/27/fbi-says-chinas-salt-typhoon-hacked-at-least-200-us-companies/
• Salt Typhoon attacks on Norwegian companies: https://techcrunch.com/2026/02/06/chinas-salt-typhoon-hackers-broke-into-norwegian-companies/