Singapore says China-backed hackers targeted its four largest phone companies

Singapore has attributed a months-long cyber campaign against its telecommunications infrastructure to a China-linked espionage group.

In a statement released Monday, the government confirmed for the first time that the hacking group known as UNC3886 targeted four of the country's leading telecom operators: Singtel, StarHub, M1, and Simba Telecom. Previously, authorities acknowledged they were responding to an attack on critical infrastructure but had not identified the attackers.

Although the attackers infiltrated certain systems, they did not disrupt services or access personal data, according to K. Shanmugam, Singapore's coordinating minister for national security.

Mandiant, Google's cybersecurity division, has previously identified UNC3886 as an espionage group believed to operate on behalf of China. The Chinese government has been widely accused of carrying out cyber-espionage operations and positioning for potential disruptive attacks related to geopolitical tensions, including around Taiwan — allegations that Beijing has consistently denied, according to Reuters.

The group is known for exploiting zero-day vulnerabilities in networking equipment, including routers and firewalls, and in virtualised environments, where conventional cybersecurity tools often have limited visibility. UNC3886 has targeted organisations across the defence, technology, and telecommunications sectors in both the United States and the Asia-Pacific region.

In Singapore's case, Shanmugam said the hackers deployed sophisticated techniques, including rootkits, to maintain prolonged access to compromised systems.

"In one instance, they were able to gain limited access to critical systems but did not get far enough to have been able to disrupt services," the government said in its official statement.

According to Reuters, the affected telecom companies issued a joint statement saying they routinely encounter distributed denial-of-service (DDoS) attacks and other forms of malware. "We adopt defence-in-depth mechanisms to protect our networks and conduct prompt remediation when any issues are detected," the companies said.

The incident follows a broader pattern of cyberattacks targeting telecommunications firms worldwide, including in the United States. Several governments have attributed those campaigns to another China-linked group known as Salt Typhoon.

Singapore emphasised that the impact of the UNC3886 intrusion was less severe than the damage caused by the Salt Typhoon operations elsewhere.