For eleven months, over 100 cyber defenders from six government agencies worked alongside Singapore's four major telecommunications operators to hunt, contain, and evict a sophisticated nation-state threat actor that had breached all of their networks. On February 9, 2026, Singapore finally disclosed the full scope of Operation CYBER GUARDIAN — the largest coordinated cyber incident response in the nation's history — and the details paint a sobering picture of what modern critical infrastructure defense actually looks like.
The disclosure arrived during an engagement event for the cyber defenders who participated in the operation. Singapore's Minister for Digital Development and Information, Josephine Teo, addressed the room with a gravity that rarely accompanies government cybersecurity announcements. She called UNC3886 a "potentially more serious threat" than any previous cyberattack Singapore had faced, including the 2018 SingHealth breach that exposed 1.5 million patient records. The reason was simple: this time, the attackers were not after data alone. They were positioning themselves inside systems that deliver essential services to an entire nation.
The Threat: Who is UNC3886?
UNC3886 is an Advanced Persistent Threat group first publicly documented by Mandiant (now part of Google Cloud) in September 2022, though its operations trace back to at least late 2021. The "UNC" designation stands for "uncategorized" — Mandiant's label for threat clusters that have not yet been formally attributed to a named group. Multiple cybersecurity firms have linked UNC3886 to Chinese-nexus cyber espionage operations, though Singapore's government has notably refrained from publicly naming a sponsoring state.
What distinguishes UNC3886 from many other APT actors is its target selection and technical depth. The group does not go after endpoints and workstations the way conventional threat actors do. Instead, it focuses on network edge devices, virtualization platforms, and infrastructure-layer technologies — the devices that sit between the internet and the internal network, and the hypervisors that run entire data centers. These are environments where traditional endpoint detection and response (EDR) tools cannot be deployed, and where forensic visibility is often limited.
UNC3886 is tracked separately from Salt Typhoon, another China-linked APT that has targeted U.S. and Canadian telecommunications providers. While both groups focus on telco infrastructure and share some tactical overlap, cybersecurity researchers including Mandiant have assessed them as distinct threat clusters with different tooling and infrastructure.
Historically, UNC3886 has exploited zero-day vulnerabilities across products from Fortinet, VMware, and Juniper Networks. In 2023, it was linked to campaigns using a Fortinet FortiOS path traversal flaw (CVE-2022-41328) to deploy custom backdoors on government networks. In early 2025, Mandiant published research showing UNC3886 targeting end-of-life Juniper MX Series routers, deploying six distinct TinyShell-based backdoors with capabilities that included disabling logging on compromised devices. The group has also exploited VMware vCenter zero-days (CVE-2023-34048) to gain unauthenticated remote code execution, deploying attacker backdoors within minutes of crashing the vulnerable VMware service.
The common thread across all of these campaigns is a pattern of deep systems knowledge, patience, and a clear emphasis on long-term stealth over immediate objectives.
The Campaign: How Singapore's Telcos Were Breached
Singapore's Cyber Security Agency (CSA) first became aware of the threat in early-to-mid 2025, when all four of the nation's major telecommunications operators — Singtel, StarHub, M1, and SIMBA Telecom — detected suspicious activity within their networks. The telcos reported these anomalies to the Infocomm Media Development Authority (IMDA) and CSA, even though, as CSA later noted, the suspicious activities initially detected did not yet meet the formal threshold required for mandatory breach notification. That early communication proved critical.
Investigations revealed that UNC3886 had conducted a deliberate, targeted, and coordinated campaign against the entire telecommunications sector. This was not opportunistic scanning that happened to find an open door. Every major operator was targeted, suggesting detailed reconnaissance and strategic planning.
In at least one confirmed instance, UNC3886 exploited a zero-day vulnerability in a perimeter firewall to gain its initial foothold into a telco network. Minister Teo described this technique as "finding a new key that no one else had found, to unlock the doors to our telcos' information systems and networks." A zero-day, by definition, is a vulnerability for which no security patch exists at the time of exploitation — meaning no amount of diligent patching would have prevented this initial compromise.
"The consequences could have been more severe. If the attack went far enough, it could have allowed the attacker to one day cut off telecoms or internet services." — Josephine Teo, Minister for Digital Development and Information, Singapore (CSA)
Once inside, the attackers deployed rootkit malware to maintain persistent access while systematically covering their tracks. Rootkits operate at the operating system kernel level, allowing an attacker to hide files, processes, and network connections from administrators and security tools. UNC3886 has historically used rootkits such as REPTILE (a kernel-level Linux rootkit with port-knocking capabilities) and MEDUSA (focused on credential harvesting and process hiding). These tools made it extraordinarily difficult for defenders to confirm the attacker's presence, requiring painstaking forensic sweeps across entire network environments.
CSA confirmed that UNC3886 managed to exfiltrate a small amount of technical data, believed to be primarily network topology and configuration information — the kind of data that helps an attacker map the terrain, identify high-value systems, and plan deeper penetration. In one instance, the attackers gained limited access to critical systems, though they did not progress far enough to disrupt services. Crucially, there is no evidence that customer records, personal data, or sensitive communications were accessed or stolen.
The Response: Operation CYBER GUARDIAN
Singapore's response to the breach became the most significant test of its national cyber defense doctrine — a classified framework authored in 2020 that defines roles, responsibilities, and coordination protocols for public-private cyber defense operations. Minister Teo noted that while the doctrine had been practiced through exercises for several years, Operation CYBER GUARDIAN was the first time it had been activated in an actual operation.
The operation mobilized over 100 cyber defenders across six government agencies: the Cyber Security Agency (CSA), the Infocomm Media Development Authority (IMDA), the Centre for Strategic Infocomm Technologies (CSIT), the Singapore Armed Forces' Digital and Intelligence Service (DIS), the Government Technology Agency (GovTech), and the Internal Security Department (ISD). These teams worked in close partnership with security personnel at all four telcos across the full eleven-month engagement.
Operation CYBER GUARDIAN spanned over eleven months and involved six government agencies plus four private-sector telcos. The operation remained classified from its inception until the public disclosure on February 9, 2026, to preserve operational security while the containment and eviction were still underway.
The defenders' immediate priorities were threefold: limit UNC3886's lateral movement within the compromised networks, close the access points the attackers had used to enter and re-enter, and expand monitoring capabilities to detect any future attempts to regain a foothold. CSA named specific individuals who led the response effort — a senior cybersecurity consultant from CSA's National Cyber Incident Response Centre who served as one of the first responders, along with threat intelligence specialists from IMDA and the Digital Intelligence Service who led teams conducting threat hunts within the telco networks.
The operation succeeded in containing the breach. Defenders closed off UNC3886's known access points and implemented expanded monitoring. But Singapore's officials were careful not to frame this as a victory. Minister Teo stated plainly that the attackers are backed by countries with formidable resources and will not give up easily when it comes to regaining a foothold in Singapore's telco systems.
The Bigger Picture: Why Telcos Are Ground Zero
Telecommunications infrastructure has become one of the highest-value target categories for state-sponsored cyber operations worldwide, and the Singapore campaign fits squarely within that pattern. Telcos carry and route virtually all digital communications for a nation — voice calls, text messages, internet traffic, financial transactions, and government communications all traverse their networks. Compromising a telco does not just give an attacker access to one organization; it potentially gives them visibility into the communications of every customer on that network.
"Telcos are strategic targets for threat actors, including state-sponsored ones. They play a foundational role in powering the digital economy and transmit vast amounts of information, including sensitive data. If threat actors succeed in attacking our telcos, they have the potential to undermine our national security and our economy." — CSA/IMDA Joint Press Release (CSA)
Singapore is not the only nation grappling with this reality. In 2024, U.S. authorities disclosed that Salt Typhoon, another China-linked APT, had infiltrated a large number of American telecommunications providers and may have accessed sensitive law enforcement or military communications. In April 2025, South Korea's SK Telecom suffered a breach that exposed SIM-related data for approximately 23 million subscribers. Norway's Police Security Service recently confirmed that Salt Typhoon had compromised vulnerable network devices within Norwegian organizations.
Minister Teo connected these dots explicitly, warning that Singapore's other critical infrastructure sectors — power, water, and transport — should prepare for the possibility that they, too, will be targeted. According to CSA's Singapore Cyber Landscape 2024/2025 report, suspected APT activity targeting Singapore has increased more than fourfold between 2021 and 2024.
UNC3886's Technical Playbook
Understanding UNC3886's tactics, techniques, and procedures is essential for any organization operating critical infrastructure. The group's approach is methodical and layered, combining multiple capabilities to achieve and maintain access while avoiding detection.
Initial Access
UNC3886 consistently exploits zero-day and high-severity vulnerabilities in network perimeter devices. Known exploited CVEs include CVE-2022-41328 (Fortinet FortiOS path traversal), CVE-2022-42475 (Fortinet FortiOS heap overflow), CVE-2023-34048 (VMware vCenter out-of-bounds write), CVE-2023-20867 (VMware Tools authentication bypass), and CVE-2025-21590 (Juniper Junos OS improper isolation, exploited notably on end-of-life MX routers). The group's preference for edge devices and virtualization platforms means it targets the exact technologies that sit outside the coverage of conventional EDR solutions.
Persistence and Stealth
Once inside, UNC3886 deploys a suite of custom and modified open-source tools designed for long-term access. Its known toolkit includes TinyShell (a lightweight backdoor for encrypted command-and-control), REPTILE (a kernel-level rootkit that hides attacker activity and supports port-knocking for covert access), MEDUSA (a rootkit focused on credential interception), MOPSLED (a modular backdoor framework), CASTLETAP (a passive ICMP-triggered backdoor for FortiGate firewalls), and RIFLESPINE (a backdoor that uses Google Drive for command-and-control). The group also deploys anti-forensics tools like GHOSTTOWN and PITHOOK (for SSH credential harvesting), and routinely tampers with system logs and forensic artifacts to erase evidence of its presence.
Command and Control
UNC3886 demonstrates notable operational security in its C2 infrastructure, using legitimate platforms like Google Drive and GitHub to blend malicious traffic with normal business communications. In the Singapore campaign, researchers from Team Cymru identified the group's use of Operational Relay Box (ORB) networks — mesh networks built from compromised residential routers and IoT devices that serve as anonymizing proxies to hide the true origin of attack traffic. Team Cymru identified up to 12 unique ORB-tagged IPs on the four targeted ISPs and up to 44 across Singapore overall — including nodes hosted on cloud and hosting providers like AWS and Vultr — over a 90-day period.
Known CVEs Exploited by UNC3886
CVE-2022-41328 Fortinet FortiOS Path traversal — read/write to filesystem
CVE-2022-42475 Fortinet FortiOS Heap-based buffer overflow — RCE
CVE-2023-34048 VMware vCenter Out-of-bounds write via DCERPC — RCE
CVE-2023-20867 VMware Tools Authentication bypass in guest operations
CVE-2025-21590 Juniper Junos OS Improper isolation in kernel — code injection via Veriexec bypassWhat Defenders Should Take Away
- Edge devices are the new frontline: UNC3886's entire playbook revolves around targeting firewalls, routers, and hypervisors — devices where traditional security agents cannot run. Organizations that treat these devices as black boxes with no monitoring or integrity checking are leaving their doors unguarded.
- Zero-day resilience requires architectural thinking: When the initial compromise comes through an unknown vulnerability, the only defenses that matter are the ones that limit what happens after the breach. Network segmentation, strict access controls, behavioral anomaly detection, and architectural separation of critical systems from general-purpose networks are what determine how far an attacker gets once they're inside.
- Early reporting changes outcomes: Singapore's telcos flagged suspicious activity to government agencies before the incidents reached formal breach notification thresholds. That early communication is what allowed Operation CYBER GUARDIAN to launch before UNC3886 achieved its ultimate objectives. Organizations need clear channels and a culture that encourages flagging anomalies early, not only after they become confirmed incidents.
- Assume breach and hunt proactively: UNC3886's use of rootkits, log tampering, and anti-forensics tools means that traditional alerting may never fire. Proactive threat hunting — actively searching for indicators of compromise and behavioral anomalies — is not optional for critical infrastructure operators. It is a baseline requirement.
- End-of-life devices are active liabilities: UNC3886's targeting of end-of-life Juniper MX Series routers is a clear signal. Devices no longer receiving security patches are not just technical debt — they are open invitations to sophisticated adversaries who actively catalog and exploit these exact systems.
- Public-private coordination is a force multiplier: Singapore's national cyber defense doctrine — which pre-defined roles, responsibilities, and coordination mechanisms for exactly this scenario — enabled a response that no single organization could have mounted alone. Over 100 defenders from six agencies working in concert with four private-sector operators over eleven months is a scale of coordination that requires advance planning, not improvisation.
"Your actions, or inaction, can determine whether we succeed or fail in protecting our critical infrastructure, and our national security." — Josephine Teo (IMDA)
Operation CYBER GUARDIAN is not a finished chapter. Minister Teo was explicit: despite the containment, there is no guarantee against future attempts. APT actors backed by nation-state resources have the patience, capability, and strategic motivation to keep trying. Singapore's CSA has raised its National Cyber Threat Alert Level, convened CEO-level classified briefings for all critical infrastructure owners, and begun introducing new mandatory reporting requirements for suspected cyberattacks.
For the rest of us watching from the outside, the lesson is uncomfortable but necessary. The question is not whether your critical infrastructure will be targeted by a sophisticated adversary. It is whether your defenses, your monitoring, your architecture, and your coordination with partners will be ready when it happens. Singapore had eleven months to answer that question under real-world conditions. How would your organization perform in the same test?
Sources: Cyber Security Agency of Singapore (CSA) Press Release | Minister Josephine Teo's Full Speech, Feb 9 2026 | IMDA Press Release | Trend Micro: Revisiting UNC3886 Tactics | Team Cymru: Tracking ORBs on Singapore's Telco Networks | OT-ISAC Advisory on UNC3886