Singapore's 11-month cyber eviction: Inside the fight against China-linked telecom spies

Singapore spent almost a year flushing a suspected China-linked espionage crew out of its telecom networks in what officials describe as the country's largest cyber defense operation to date.

The Cyber Security Agency of Singapore said advanced persistent threat UNC3886 dug itself into the networks of all four major telecom providers, sparking an 11-month digital eviction effort involving more than 100 personnel from across government, military, intelligence, and industry.

Branded "Operation Cyber Guardian," the cleanup saw the state and telco engineers teaming up to flush the intruders out while keeping the nation's phone and data pipes flowing.

"Over the past months, our investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore's telecommunications sector," the CSA said.

Officials stopped short of formally pointing the finger at Beijing, but UNC3886 has long been associated with Chinese state-aligned cyber espionage. The group tends to skip flashy break-ins on user machines and instead sneaks into the dull but revealing parts of network infrastructure, where traffic flows quietly and almost nobody is paying attention.

According to Singapore's account, the attackers slipped past perimeter defenses using a previously unknown flaw, then dug in using custom rootkits that let them stay hidden deep inside telecom systems. Officials didn't say what bugs had been exploited, but UNC3886 was previously observed exploiting zero-day flaws in FortiGate firewalls, VMware ESXi, and VMware vCenter Server endpoints.

Investigators believe the operation focused on siphoning off technical network information that could support long-term intelligence collection, rather than stealing customer records or causing outages that might draw attention.

The tactics will sound familiar to anyone who has followed recent telecom-focused espionage campaigns. The operation bears a strong resemblance to the China-backed Salt Typhoon espionage campaign uncovered in 2024, which also went after telecom providers across several countries using similar infrastructure-level tricks to quietly watch data and communications traffic.

That kind of access is why telecom breaches tend to ring louder alarm bells than the average hack. Operators sit at the intersection of government communications, enterprise data, and consumer traffic, making them attractive targets for states looking to map networks, monitor flows, or set the stage for future intelligence operations.

Singapore described Operation Cyber Guardian as its "largest coordinated cyber incident response effort undertaken to date." Cleaning up involved identifying compromised devices, sealing off attacker access paths, patching vulnerabilities, and ramping up monitoring to ensure the intruders didn't simply circle back.

Singapore warned that telecom networks will remain prime targets and urged operators to assume sophisticated actors are already probing their defenses.

The 11-month operation highlights the persistent and evolving nature of state-sponsored cyber threats targeting critical infrastructure. Unlike opportunistic cybercrime that seeks quick financial gain, groups like UNC3886 engage in patient, methodical infiltration designed to establish long-term intelligence collection capabilities.

What makes telecom networks particularly vulnerable is their role as central nervous systems of modern communication. Every phone call, text message, and data packet flows through these networks, creating a treasure trove of information for intelligence agencies. The attackers' focus on technical network information rather than customer data suggests they were mapping infrastructure, identifying key nodes, and establishing persistent access points that could be used for future operations.

The use of custom rootkits and previously unknown vulnerabilities (zero-days) demonstrates the significant resources and technical sophistication available to these threat actors. Rootkits operate at the kernel level of operating systems, making them extremely difficult to detect and remove. By exploiting zero-day vulnerabilities, the attackers ensured they could bypass existing security measures that hadn't yet been updated to defend against these specific attack vectors.

Singapore's response, involving over 100 personnel from multiple agencies, underscores the scale of resources required to combat such sophisticated threats. The coordination between government agencies, military, intelligence services, and private sector telecom operators represents a comprehensive approach to cybersecurity that recognizes the interconnected nature of modern threats.

The warning that telecom networks will remain prime targets serves as a sobering reminder that the cybersecurity landscape continues to evolve. As organizations strengthen their defenses against more common threats, sophisticated state-sponsored actors adapt their tactics to exploit the most valuable and vulnerable targets. For telecom operators worldwide, Singapore's experience provides both a warning and a blueprint for how to respond to similar threats.

The operation also raises questions about the broader implications for international relations and cybersecurity policy. While Singapore stopped short of directly attributing the attack to China, the association with UNC3886 and the similarities to other China-linked campaigns make the connection difficult to ignore. This incident adds to the growing body of evidence about state-sponsored cyber operations targeting critical infrastructure, potentially influencing future diplomatic and economic decisions regarding technology partnerships and supply chains.

As nations become increasingly dependent on digital infrastructure, the protection of telecom networks takes on heightened importance. The 11-month operation in Singapore demonstrates that defending against sophisticated cyber threats requires not just technical solutions, but also sustained commitment, inter-agency cooperation, and the ability to maintain critical services while conducting complex remediation efforts. The lessons learned from Operation Cyber Guardian will likely inform cybersecurity strategies well beyond Singapore's borders.