Chinese cyberspies breach Singapore’s four largest telcos: A Technical Analysis of UNC3886 Campaigns

Estimated reading time: 9 minutes

Key Takeaways:

  • UNC3886 utilized zero-day exploits and custom rootkits to maintain long-term persistence within Singapore’s primary telecommunications infrastructure.
  • The threat actor focused on technical data theft rather than consumer PII, suggesting long-term intelligence gathering objectives.
  • Critical vulnerabilities in edge devices like BeyondTrust (CVE-2026-1731) and Ivanti EPMM are being actively exploited by state-aligned actors.
  • Supply-chain risks remain a primary vector, as evidenced by the breach of Senegal’s DAF via a third-party digital ID contractor.

Table of Contents:

The Chinese threat actor identified as UNC3886 recently targeted and breached the infrastructure of Singapore’s four primary telecommunications providers: Singtel, StarHub, M1, and Simba. Reports indicate that these intrusions occurred at least once over the previous year, involving unauthorized access to critical systems. While the attackers moved within these environments, investigations by Singapore’s Cyber Security Agency (CSA) and the Infocomm Media Development Authority (IMDA) suggest the adversaries did not achieve the depth required to disrupt essential services or exfiltrate sensitive customer data.

This campaign, which was initially disclosed in July 2025, prompted the initiation of ‘Operation Cyber Guardian,’ a government-led response aimed at neutralizing the threat actor’s presence within the telecommunications sector. As organizations evaluate their own defensive postures, the use of a cyber threat intelligence platform becomes necessary to track such sophisticated state-aligned actors.

Chinese cyberspies breach Singapore’s four largest telcos: Persistence and Tactics

The breach of Singapore’s telecommunications sector provides a case study in advanced persistent threat (APT) methodologies. UNC3886 utilized a zero-day exploit to bypass perimeter firewalls, which served as the initial entry point into the providers’ networks. Once inside, the group deployed rootkits to maintain stealth and persistence. The use of rootkits is a hallmark of UNC3886, allowing them to operate beneath the level of standard operating system security controls and evade traditional breach detection mechanisms.

Network intrusion analysis showing China-linked APT UNC3886 breach

The CSA’s investigation revealed that the attackers were focused on stealing technical data rather than consumer personal identifiable information (PII). This focus on technical data suggests an objective centered on long-term intelligence gathering or preparing for future disruptive capabilities. The immediate response by Singaporean authorities involved over a hundred investigators from six government agencies. By containing the compromise and closing access points, the CSA successfully blocked the actor from pivoting into other critical sectors, such as banking, healthcare, and transport.

UNC3886 is not a new entity in the threat landscape. Since 2023, research has tracked this group targeting government and technology firms globally. Their primary strategy involves the exploitation of zero-day vulnerabilities in edge devices and virtualization platforms. Previous campaigns have leveraged:

  • CVE-2022-41328 (FortiGate firewalls)
  • CVE-2023-20867 (VMware ESXi)
  • CVE-2023-34048 (VMware vCenter Server)

The specific zero-day used in the Singaporean telco breach has not been publicly identified by the CSA, but the methodology aligns with the group’s established preference for targeting internet-facing infrastructure that lacks comprehensive endpoint detection and response (EDR) coverage.

Global Context: The Targeting of Telecommunications

The Singapore incident is part of a broader trend of China-aligned espionage targeting national communication backbones. In late 2024, the actor known as Salt Typhoon breached several U.S. broadband providers. In those instances, the hackers accessed legal network wiretapping systems, potentially compromising sensitive law enforcement communications. Similarly, in mid-2025, the Canadian government reported intrusions into its telecommunications firms via a Cisco IOS XE vulnerability.

These incidents demonstrate that telecommunications infrastructure remains a primary target for state actors seeking to intercept data at the source. Organizations operating in this space must prioritize supply-chain risk monitoring and the auditing of edge devices to mitigate the risk of similar intrusions.

Technical Analysis of CVE-2026-1731: BeyondTrust Privileged Remote Access

Concurrent with the news of the Singapore breaches, a critical vulnerability has been identified in BeyondTrust’s Privileged Remote Access (PRA) and Remote Support tools. Tracked as CVE-2026-1731, this flaw carries a CVSS score of 9.9.

The vulnerability is categorized as an operating system (OS) command injection. It allows an unauthenticated remote attacker to send specially crafted requests to the system, resulting in the execution of commands within the context of the site user. This type of flaw is particularly dangerous because it does not require valid credentials to exploit, making it an ideal entry point for actors like UNC3886 who specialize in edge device exploitation.

Security researchers utilized AI-enabled variant analysis to discover approximately 11,000 exposed instances of this service on the public internet. Of these, roughly 8,500 are on-premises deployments. Organizations using PRA versions 24.3.4 and prior are urged to apply patch BT26-02-PRA or upgrade to version 25.1.1 immediately. Failure to remediate this flaw could lead to unauthorized data exfiltration and complete service disruption. For those managing complex environments, integrating a live ransomware API and real-time ransomware intelligence can help identify if these entry points are being weaponized by financially motivated groups or state actors.

Vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM)

The European Union and the Dutch government have also confirmed recent hacks stemming from vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). The flaws, tracked as CVE-2026-1281 and CVE-2026-1340, both carry CVSS scores of 9.8.

These vulnerabilities allow for remote code execution (RCE) without requiring a username or password. Because EPMM is used to manage mobile fleets-controlling security rules and app settings for phones and tablets-a compromise at this level gives an attacker significant control over an organization’s mobile ecosystem.

In the Dutch breach, unauthorized parties viewed work-related data, including names, business emails, and phone numbers. The European Commission reported a similar incident where staff names and mobile numbers were accessed. While no compromise of individual mobile devices was detected in the Commission’s case, the incident was contained within nine hours of detection. These attacks highlight the necessity of brand leak alerting to monitor for the exposure of internal staff directories on the dark web.

Ransomware and Data Theft: The Senegal DAF Breach

In a separate but related development, the government of Senegal confirmed a significant breach of its Directorate of File Automation (DAF). This office manages sensitive biometric data, national ID cards, and passports for the country’s 19.5 million residents.

The Green Blood Group, a ransomware gang that emerged in early 2026, claimed responsibility for the theft of 139 GB of data. The breach allegedly involved two DAF servers and included card personalization data. The hackers released samples of the stolen data to verify their claims.

A critical element of this breach is the involvement of IRIS Corporation Berhad, a Malaysian firm contracted to produce Senegal’s digital ID cards. An internal email from IRIS revealed that the hackers had breached the servers on January 19, leading to the suspension of network connections to foreign missions and other government offices.

This incident serves as a reminder of the importance of dark web monitoring service capabilities to identify stolen government or corporate databases before they are fully liquidated. Furthermore, underground forum intelligence is vital for tracking the emergence of new groups like Green Blood Group.

Social Engineering via Signal QR Codes

Threat actors are also diversifying their delivery methods for espionage. In Europe, the German Federal Office for Information Security (BSI) and the Federal Office for the Protection of the Constitution (BfV) have issued warnings regarding a wave of attacks targeting military leaders, diplomats, and journalists.

These attacks do not rely on malware but rather on social engineering and the abuse of the Signal messaging app’s legitimate features. Attackers attempt to trick victims into revealing a six-digit security PIN or an SMS code. Once obtained, the attacker registers the victim’s phone number on their own device, effectively hijacking the account.

A specific “QR Code Trap” is being used to facilitate this process. Once the account is compromised, the actors can monitor private chats and send messages as the victim, which is often used to spread disinformation or conduct further social engineering within trusted circles. Organizations should incorporate telegram threat monitoring and similar messaging intelligence to track how these tactics are shared and refined among adversary groups.

Engineering Perspectives and Mitigation Strategies

For technical teams and engineers, the breach of Singapore’s telcos and the subsequent CVE disclosures emphasize several architectural requirements.

Hardening Edge Infrastructure
Edge devices-firewalls, VPN gateways, and mobile management platforms-are the primary targets for actors like UNC3886. Because these devices are internet-facing by design, they must be subjected to rigorous auditing.

  • Zero-Day Readiness: Since many of these attacks utilize unpatched vulnerabilities, network segmentation is critical. Edge devices should reside in isolated zones with limited access to the internal network core.
  • Log Integrity: UNC3886 and similar actors use rootkits to hide their presence. Centralized logging to a write-only environment can prevent attackers from deleting their tracks on the compromised host.

Identity and Access Management
The BeyondTrust and Signal incidents demonstrate that identity is a vulnerable layer.

  • Phishing-Resistant MFA: Traditional SMS-based MFA is susceptible to hijacking. Transitioning to hardware keys or FIDO2-compliant authentication methods reduces the risk of account takeover.
  • Privileged Access Review: In light of CVE-2026-1731, any tool that manages privileged access must itself be treated as a high-risk asset. Automated vulnerability scanning and rapid patch deployment cycles are mandatory.

Strategic Takeaways for Business Leaders

  1. Vendor Risk Management: The Senegal incident demonstrates that a breach at a third-party contractor (IRIS Corporation) can directly impact the security of the primary organization. Supply-chain security must include technical audits and incident response clauses.
  2. Incident Response Readiness: Singapore’s ‘Operation Cyber Guardian’ was successful because it was a coordinated effort involving multiple agencies. Business leaders should ensure their IR plans involve cross-departmental coordination.
  3. Investment in Intelligence: Tracking state actors and emerging ransomware groups requires more than just reactive patching. Investing in cyber threat intelligence platform services provides the foresight needed to anticipate the tactics of groups like UNC3886.

Supporting Infrastructure Security with PurpleOps

The complexity of these state-sponsored campaigns requires a multi-layered defensive strategy. PurpleOps provides the technical expertise and platforms necessary to identify, monitor, and mitigate these advanced threats.

Our cyber threat intelligence platform offers deep visibility into actor methodologies, including the specific rootkit and zero-day tactics favored by UNC3886. By leveraging dark web monitoring service and underground forum intelligence, PurpleOps helps organizations identify if their credentials or technical data are being discussed or sold in the shadows.

To learn more about how our services can protect your infrastructure from advanced espionage and ransomware, explore our offerings:

Frequently Asked Questions

Who is the UNC3886 threat actor?
UNC3886 is a Chinese-aligned advanced persistent threat (APT) group known for its sophisticated use of zero-day vulnerabilities, specifically targeting edge devices and virtualization platforms to conduct espionage.

Was customer data stolen in the Singapore telco breach?
According to Singapore’s CSA, the investigation suggests that the attackers focused on stealing technical infrastructure data rather than consumer personal identifiable information (PII).

What is the significance of CVE-2026-1731?
CVE-2026-1731 is a critical OS command injection vulnerability in BeyondTrust Privileged Remote Access tools with a CVSS score of 9.9. It allows unauthenticated remote attackers to execute commands, potentially granting full access to sensitive systems.

How do attackers hijack Signal accounts using QR codes?
Attackers use social engineering to trick victims into scanning a QR code or providing a six-digit security PIN. This allows the attacker to register the victim’s number on their own device and gain full access to private chats.