Between the lines of Singapore's cyberattack revelations
Minister Josephine Teo reveals new details about last year's UNC3886 campaign.
All four telecoms in Singapore were targeted by cyber espionage group UNC3886 last year, authorities revealed this week. Here's what wasn't said.
Speaking at an event on Monday to thank cyber defenders, Minister Josephine Teo shared additional information about the cyberattack that made headlines in 2025.
State-sponsored cyberattacks
In July last year, National Security Minister K Shanmugam spoke of a "highly sophisticated threat actor" attacking Singapore's critical infrastructure. At that time, he only shared details of an ongoing attack on Singapore's critical information infrastructure (CII) by a state-sponsored group.
CII systems are those that support essential services. In Singapore, these are defined as energy, water, finance, healthcare, transport (land, sea, and air), among others, and some data centres.
In an unprecedented move at that time, Minister Shanmugam had named the attacker as UNC3886, which Mandiant describes as a "China-nexus espionage group."
New insights
On Monday, Minister Teo shared more details: all four telcos in Singapore, namely Singtel, M1, StarHub, and Simba Telecom, were targeted by UNC3886 last year.
The campaign reportedly leveraged zero-day exploits, used advanced techniques to hide and evade detection, and was deliberate, targeted, and well-planned. In one case, the attackers gained access to a few critical systems but did not get far enough to disrupt services. The attackers exfiltrated a small amount of technical data, believed to be primarily network related.
Once aware, Singapore launched an operation with more than 100 people across six government agencies to thwart and contain the threat. This included MINDEF's CSIT, the Singapore Armed Forces' Digital and Intelligence Service, the Internal Security Department, and GovTech.
Between the lines
Plausible deniability has long been a useful cover for cyber attackers. That Singapore even named the attackers sends a message on more than one level. Here are some things that were not said.
Though user data and financial information are often associated with hackers, the objective here is far more sinister. UNC3886 is known for breaking into networks for intelligence gathering and gaining surreptitious, long-term access. This isn't about stealing your personal data.
Such insidious access can be used to aid attackers in a hot war or to cause economic damage. Indeed, the use of cyberattacks on power plants to disable air defences was alluded to in the recent brazen U.S. operation that saw it capture former Venezuelan President Nicolás Maduro.
For the rest of us, the takeaway is simpler but no less important: the most dangerous cyberattacks aren't the ones that steal your data. They're the ones you never notice.
