Singapore’s telecommunications sector (M1, SIMBA, Singtel, and StarHub) was targeted by a sophisticated Advanced Persistent Threat (APT) actor known as UNC3886. This was not a random attack, but a well planned and coordinated campaign aimed at critical infrastructure.

The attackers used high level techniques to infiltrate and to remain hidden. They used zero-day exploits, using previously unknown vulnerabilities to bypass firewalls. They used rootkits, advanced software used to maintain persistent access while remaining hidden by security tools. A small amount of technical, network related data was stolen to help the actors understand the systems better for future objectives.

In response, Singapore launched Operation Cyber Guardian to counteract the threat. Once the telcos detected the breach, they informed the Cyber Security Agency and IMDA. The operation lasted over 11 months and involved more than 100 cyber defenders from various government agencies, including GovTech and the Digital and Intelligence Service. The team successfully managed to disrupt the attackers movement within the networks and closed off their access points. Fortunately, the impact was limited, there is no evidence that customer’s personal data was stolen nor were there any disruptions to internet and phone services.

The event highlights Singapore’s cyber defense doctrine, which relies on a tight-knit partnerships between the private sector(telcos) and government bodies. By cooperating, they were able to neutralize a deep capability threat before it could cause widespread outages in services or mass data leaks.