Article Details

Singapore spent 11 months booting China-linked snoops out of telco networks. Operation Cyber Guardian involved 100-plus staff across government and industry. Singapore spent almost a year flushing a suspected China-linked espionage crew out of its telecom networks in what officials describe as the country's largest cyber defense operation to date. The Cyber Security Agency of Singapore said advanced persistent threat UNC3886 dug itself into the networks of all four major telecom providers, sparking an 11-month digital eviction effort involving more than 100 personnel from across government, military, intelligence, and industry. Branded "Operation Cyber Guardian," the cleanup saw the state and telco engineers teaming up to flush the intruders out while keeping the nation's phone and data pipes flowing. "Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore's telecommunications sector," the CSA said. Officials stopped short of formally pointing the finger at Beijing, but UNC3886 has long been associated with Chinese state-aligned cyber espionage. The group tends to skip flashy break-ins on user machines and instead sneaks into the dull but revealing parts of network infrastructure, where traffic flows quietly and almost nobody is paying attention. According to Singapore's account, the attackers slipped past perimeter defenses using a previously unknown flaw, then dug in using custom rootkits that let them stay hidden deep inside telecom systems. Officials didn't say what bugs had been exploited, but UNC3886 was previously observed exploiting zero-day flaws in FortiGate firewalls, VMware ESXi, and VMware vCenter Server endpoints. Investigators believe the operation focused on siphoning off technical network information that could support long-term intelligence collection, rather than stealing customer records or causing outages that might draw attention. The tactics will sound familiar to anyone who has followed recent telecom-focused espionage campaigns. The operation bears a strong resemblance to the China-backed Salt Typhoon espionage campaign uncovered in 2024, which also went after telecom providers across several countries using similar infrastructure-level tricks to quietly watch data and communications traffic.  That kind of access is why telecom breaches tend to ring louder alarm bells than the average hack. Operators sit at the intersection of government communications, enterprise data, and consumer traffic, making them attractive targets for states looking to map networks, monitor flows, or set the stage for future intelligence operations. Singapore described Operation Cyber Guardian as its "largest coordinated cyber incident response effort undertaken to date." Cleaning up involved identifying compromised devices, sealing off attacker access paths, patching vulnerabilities, and ramping up monitoring to ensure the intruders didn't simply circle back. Singapore warned that telecom networks will remain prime targets and urged operators to assume sophisticated actors are already probing their defenses.