Chinese Hackers Breached All Four of Singapore's Major Telcos—It Took 11 Months to Kick Them Out

The Breach

Singapore disclosed on February 10, 2026, that all four of its major telecommunications companies were breached by a cyber espionage group known as UNC3886. The affected carriers are Singtel, StarHub, M1, and SIMBA Telecom, which collectively serve virtually every mobile and internet customer in the country.

Security researchers link UNC3886 to China, though Singapore's government stopped short of publicly naming a state sponsor. The group has operated globally for years, targeting defense, technology, and telecommunications sectors across multiple countries.

How They Got In

UNC3886 used at least one previously unknown software flaw, a zero day vulnerability, to bypass a firewall and slip inside the telecom networks. Once inside, the group deployed rootkits to maintain hidden, persistent access to compromised systems.

A zero day exploit targets a vulnerability that the software maker has not yet discovered or patched. This means the telcos' defenses were bypassed not because of negligence, but because the attackers had a tool the defenders did not know existed. Rootkits, meanwhile, operate at such a low level of the operating system that they can hide their presence from most security software.

The combination of a zero day entry point and rootkit persistence made this intrusion exceptionally difficult to detect and remove.

What They Took

Singapore's investigation determined that the intruders exfiltrated a small amount of technical data, mostly related to how the networks were configured. There is no indication that customer records, personal data, or communications were stolen. Mobile and internet services were never disrupted.

But the nature of the stolen data matters. Network configuration details reveal how systems are structured, where defenses are placed, and how traffic flows. This type of intelligence is precisely what an espionage group would collect to prepare for future, more targeted intrusions.

Operation Cyber Guardian

Singapore's response, called Operation Cyber Guardian, was the country's largest multi agency cyber operation to date. Hundreds of defenders from the Cyber Security Agency, the Infocomm Media Development Authority, the Centre for Strategic Infocomm Technologies, and other entities spent over 11 months systematically identifying and evicting UNC3886 from all four networks.

Eleven months is a long time to spend cleaning out a network intrusion. It reflects both the sophistication of the attack and the difficulty of ensuring that every backdoor and rootkit has been found and removed.

The Bigger Picture

This is not an isolated incident. It fits a pattern of China linked hacking groups systematically targeting telecommunications infrastructure worldwide. The Salt Typhoon group breached major U.S. telecom carriers in 2024, accessing call metadata and even wiretap systems used by law enforcement. Norway disclosed in 2026 that Chinese hackers breached its networks in what it called the most serious cyber threat since World War II.

Telecom networks are high value targets because they carry the communications of an entire nation. Metadata alone, who called whom, when, and for how long, can reveal intelligence sources, political relationships, and military movements without ever listening to a conversation.

What This Means for You

When your telecom provider gets breached, your personal security posture matters more than ever. Even if customer data was not stolen in this case, the pattern of telecom breaches globally shows that call records, location data, and subscriber information are frequent targets.

• Use end to end encrypted messaging apps like Signal for sensitive communications, since carrier networks cannot be fully trusted.
• Be aware that your phone's location data passes through your carrier's infrastructure.
• If you receive unusual security alerts or account verification requests from your telecom provider, treat them with extra scrutiny.

Singapore's 11 month eviction effort demonstrates that even well resourced governments struggle to remove sophisticated state backed hackers from critical infrastructure. The question is not whether your carrier has been targeted, but whether it has noticed.