On 9 February 2026, the Cyber Security Agency of Singapore (CSA) together with the Infocomm Media Development Authority (IMDA) publicly disclosed detailed findings from an extensive cyber-defence campaign launched in response to a sophisticated threat actor targeting the nation’s telecommunications infrastructure. Codenamed Operation CYBER GUARDIAN, this coordinated response represents the largest multi-agency cyber operation in Singapore’s history, involving over 100 cyber defenders from government agencies and private sector operators.

Threat Background: APT Actor UNC3886

UNC3886 is classified as an Advanced Persistent Threat (APT) actor — a category of threat known for long-term, stealthy intrusion campaigns using custom tooling and deep technical capabilities to compromise critical systems. Investigations showed that UNC3886 undertook a deliberate and highly targeted campaign against Singapore’s telecommunications sector, spanning multiple months. All four major telcos in Singapore — M1, SIMBA Telecom, Singtel, and StarHub — were confirmed as targets.

Advanced persistent threats are characterised by patience, resilience, and the ability to evade standard cyber defences through the use of zero-day exploits, rootkits, specialised malware, and persistent access mechanisms. In this campaign:

• The adversary exploited an undisclosed zero-day vulnerability in perimeter firewalls to gain initial foothold into network environments.
• It deployed rootkits to establish persistent access, conceal malicious presence, and complicate detection and remediation efforts.
• A limited amount of network-related technical data was exfiltrated, likely to support ongoing operational objectives, according to CSA’s assessment.

Detection and National Response

The intrusion activities were first identified internally by the affected telcos, which promptly notified IMDA and CSA. In response, government agencies initiated Operation CYBER GUARDIAN, a whole-of-government effort designed to contain the intrusions and strengthen defensive posture across the telecommunications sector. The operation spanned over eleven months and integrated capabilities from multiple statutory and operational bodies, including:

• Cyber Security Agency of Singapore (CSA)
• Infocomm Media Development Authority (IMDA)
• Centre for Strategic Infocomm Technologies (CSIT)
• Digital and Intelligence Service (DIS)
• Government Technology Agency of Singapore (GovTech)
• Internal Security Department (ISD)

This integrated force worked alongside telco security teams to limit lateral movement by UNC3886 within internal networks, contain existing breaches, and prevent further compromise or escalation.

Operational Outcomes and Technical Impact

Although UNC3886 achieved initial penetration into parts of the telecommunications systems, several key technical outcomes reflect the effectiveness of the defensive response:

• Service stability maintained: There is no evidence that telecommunications services — such as voice, data, or internet availability — were disrupted as a result of these intrusions.
• Data integrity preserved: No sensitive or personal customer data (e.g., subscriber records) has been confirmed as accessed or exfiltrated during these attacks.
• Compromise containment: Remediation efforts were executed to close off identified access points, strengthen perimeter defenses, and enhance real-time monitoring capabilities to detect any future malicious behaviour.

These containment measures involved detailed forensic analysis, reconfiguration of security controls, elevated threat hunting, and expanded anomaly detection across network segments.

Strategic Lessons and Future Cyber Defence Posture

Operation CYBER GUARDIAN highlighted several strategic insights for national and sectoral cyber resilience:

1. Collaboration: The coordinated effort underscores the critical importance of timely information sharing and collaboration between private sector operators and multiple government agencies.
2. Defence-in-Depth: Relying on layered security controls — such as perimeter firewalls, endpoint monitoring, threat hunting, and intrusion detection systems — proved essential in delaying and containing sophisticated intrusion techniques.
3. Preparedness: Despite successful containment, Singapore’s telcos and cybersecurity ecosystem remain on heightened alert for similar future threats, given that telecommunications infrastructure continues to be a strategic target for advanced threat actors globally.

According to CSA and IMDA, ongoing enhancements to defensive toolsets, active threat-intelligence sharing, and cybersecurity workforce capability development are key pillars of Singapore’s broader national cyber strategy.

Looking Ahead

Minister for Digital Development and Information — who also oversees the national cybersecurity portfolio — addressed cyber defenders involved in the operation, emphasising the need for sustained vigilance and investment in cybersecurity capabilities. The event reaffirmed the collective commitment of government and industry to safeguard critical infrastructure against evolving threats.

In conclusion, Operation CYBER GUARDIAN stands as a benchmark for multi-agency cyber defence in an era where state-level adversaries continue to employ advanced tactics to target critical infrastructure. The technical lessons, collaborative frameworks, and defensive enhancements derived from this operation will continue to shape Singapore’s resilience against future APT campaigns.