China-Backed Salt Typhoon Hackers Breach All Four Major Telecom Providers in Singapore Singapore has confirmed that China-linked hacking group Salt Typhoon successfully infiltrated the critical systems of its four largest telecommunications carriers Singtel, StarHub, M1, and TPG Telecom serving the nation’s entire 5.9 million population. The government disclosed the breach today, revealing that while the attackers gained "limited access to critical systems," they were prevented from disrupting services or stealing customer data. The incident reflects a broader pattern of state-sponsored cyberattacks targeting global telecom infrastructure, with Salt Typhoon previously linked to breaches in the U.S. and Europe. The group, tracked by cybersecurity firm Mandiant, is known for exploiting vulnerabilities in network equipment to establish long-term access, often for intelligence-gathering purposes. The compromise of all four major carriers underscores the strategic nature of the attack, as telecom networks underpin government communications, financial transactions, and national security. While Singaporean officials emphasized that the breach was contained, the incident highlights the growing threat posed by coordinated, well-resourced cyber campaigns targeting critical infrastructure.

Singapore’s Major Telcos Targeted by State-Linked Cyberespionage Group UNC3886 On February 9, Singapore’s Minister for Digital Development and Information, Josephine Teo, disclosed that all four of the country’s major telecommunications providers Singtel, StarHub, M1, and Simba Telecom were targeted by the advanced persistent threat (APT) group UNC3886, a China-linked cyberespionage actor. First identified in 2022 by cybersecurity firm Mandiant, UNC3886 is known for its persistent, sophisticated attacks aimed at intelligence gathering and long-term surveillance. The group employs zero-day exploits vulnerabilities unknown to vendors to infiltrate network devices, virtualization systems, and critical infrastructure. It also uses custom malware and legitimate system tools to evade detection, making it particularly difficult to counter. While no sensitive data was confirmed to have been exfiltrated, authorities warned of the potential fallout. A successful breach could disrupt telecom and internet services, cascading into sectors like banking, finance, transport, and healthcare all part of Singapore’s 11 critical services sectors. Minister Teo emphasized that even limited access could erode trust in Singapore’s digital infrastructure and economic security. The Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) revealed that UNC3886’s activities were detected in parts of the country’s critical information infrastructure as early as July 18, 2025. Though the group managed to steal a small amount of technical data, 5G networks and other core systems remained uncompromised due to separate security measures. UNC3886 has a history of targeting high-value sectors globally, including government, defense, energy, and telecommunications. Past attacks have exploited vulnerabilities in Juniper Networks routers, Fortinet security devices, and VMware virtual machines. The group’s persistence was underscored by Minister Teo, who noted that even if detected and removed, UNC3886 would likely attempt re-entry. The incident follows a pattern of escalating cyber threats against Singapore. Previous APT attacks include the 2014 breach of the Ministry of Foreign Affairs, the 2017 intrusions at NUS and NTU (targeting government-linked research), and the 2018 SingHealth data breach, which exposed the personal data of 1.5 million patients, including then-Prime Minister Lee Hsien Loong. More recently, in 2024, a global botnet infected 2,700 devices in Singapore, though no critical infrastructure was affected. While Singapore’s defenses prevented significant damage in this case, authorities stressed that the threat remains ongoing, with UNC3886’s tactics continuing to evolve.

Sophisticated Cyberattack Targets Singapore’s Major Telcos, Thwarted by Large-Scale Government Response Singapore authorities confirmed that all four of the country’s major telecommunications operators Singtel, M1, StarHub, and SIMBA were targeted in a cyberattack attributed to the advanced persistent threat (APT) group UNC3886, a suspected China-linked espionage actor. The attacks, first disclosed publicly in July 2025, were detected after the telcos reported suspicious network activity to the Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA). On 9 February 2026, Minister for Digital Development and Information Josephine Teo revealed that while attackers breached a limited number of critical systems, they were unable to disrupt services or access sensitive customer data. The government’s response, Operation Cyber Guardian, mobilized over 100 personnel from six agencies, including the Centre for Strategic Infocomm Technologies, the Singapore Armed Forces’ Digital and Intelligence Service, and GovTech, marking the largest coordinated cyber response in Singapore’s history. UNC3886, classified as a highly sophisticated threat actor, employed zero-day exploits to bypass perimeter defenses and deployed rootkits to maintain persistent access. Authorities confirmed the exfiltration of a small amount of network-related technical data, though no customer information was compromised. The attackers’ lateral movement was restricted through joint efforts with telcos, and enhanced monitoring was implemented to prevent re-entry. Teo warned that a successful attack could have cascaded into disruptions across banking, transport, and healthcare services, emphasizing that critical infrastructure remains a prime target due to its foundational role in the digital economy. While Singapore has seen a fourfold increase in APT activity between 2021 and 2024, the response demonstrated the effectiveness of the country’s classified national cyber defence doctrine, developed in 2020 and tested for the first time in a real-world operation. The attacks align with global trends, including breaches at South Korea’s SK Telecom and U.S. telecom providers in 2024. Though UNC3886’s alleged state affiliation remains unconfirmed, the Chinese embassy in Singapore has denied involvement, dismissing such claims as "groundless." Authorities have opted not to publicly attribute the attacks to a specific country, citing strategic considerations.

The personal identification information of about 129,000 customers of Singtel was breached in a cyber attack on data transfer software, Accellion’s FTA that it uses. The stolen data includes name, date of birth, phone number, and address of the customers along with bank account information of some former employees.