Ethical Hacking News
Singapore's largest cyber defense operation to date: 11-month expulsion of suspected China-linked espionage crew from telecom networks
Singapore successfully evicted a suspected China-linked espionage crew from its telecommunications networks after an 11-month digital eviction effort. The operation, dubbed "Operation Cyber Guardian," involved over 100 personnel and marked the largest coordinated cyber defense operation undertaken by Singapore to date. The attackers exploited previously unknown flaws in network infrastructure, including FortiGate firewalls and VMware ESXi. The operation was focused on gathering sensitive information about Singapore's telecommunications infrastructure. The complexity of the operation highlighted the need for international cooperation in combating cyber espionage. The use of custom rootkits by the attackers raised questions about the sophistication of state-sponsored cyber espionage campaigns.
In a remarkable display of cybersecurity prowess, Singapore has successfully evicted a suspected China-linked espionage crew from its telecommunications networks after an 11-month digital eviction effort. The operation, dubbed "Operation Cyber Guardian," involved more than 100 personnel from across government, military, intelligence, and industry, and marked the largest coordinated cyber defense operation undertaken by the city-state to date.
According to officials, the suspected espionage crew, identified as UNC3886, had launched a deliberate, targeted, and well-planned campaign against Singapore's telecommunications sector. The attackers had exploited previously unknown flaws in network infrastructure, including FortiGate firewalls, VMware ESXi, and VMware vCenter Server endpoints, before digging in using custom rootkits that allowed them to remain hidden deep within telecom systems.
The investigation into the operation revealed that UNC3886 had been attempting to siphon off technical network information that could support long-term intelligence collection. Unlike other types of cyber espionage campaigns, which often focus on stealing customer records or causing outages that draw attention, this operation seemed to be focused on gathering sensitive information about Singapore's telecommunications infrastructure.
The complexity of the operation was reflected in the number of personnel involved and the length of time taken to complete the eviction effort. The operation involved a team of experts from various government agencies, including the Cyber Security Agency of Singapore (CSA), as well as telco engineers and security specialists from the four major telecom providers in Singapore.
According to officials, the operation was a significant success, with all suspected attackers successfully evicted from the network without causing any outages or disruptions to service. The success of the operation highlights the importance of cybersecurity in modern telecommunications infrastructure and underscores the need for telcos and governments to work together to protect against such threats.
The use of custom rootkits by UNC3886 also raises questions about the sophistication of state-sponsored cyber espionage campaigns. Rootkits are a type of malware that allows attackers to maintain access to compromised systems, even after they have attempted to cover their tracks or remove themselves from the system. The fact that UNC3886 used custom rootkits suggests a high level of technical expertise and resources at its disposal.
The operation also highlights the importance of international cooperation in combating cyber espionage. While Singapore has not formally accused China of involvement in the operation, the association between UNC3886 and Chinese state-aligned cyber espionage is well-documented. The fact that the attackers exploited vulnerabilities in network infrastructure used by multiple countries suggests a global nature to the threat.
In conclusion, the success of Operation Cyber Guardian marks an important milestone in Singapore's efforts to protect its telecommunications infrastructure against cyber threats. The complexity and sophistication of the operation highlight the need for greater cooperation between governments and telcos to address this growing threat. As the use of advanced technologies continues to expand in the telecom sector, it is likely that we will see more sophisticated forms of cyber espionage in the future.
The fact that Singapore was able to detect and respond to this operation highlights the importance of investing in cybersecurity measures, including network security, endpoint protection, and incident response capabilities. The operation also underscores the need for greater awareness and education about cybersecurity threats among telcos and their customers.
In light of these findings, it is clear that cyber espionage remains a significant threat to modern telecommunications infrastructure. As such, it is essential that governments, telcos, and individuals take proactive measures to protect against this threat. By working together and investing in cybersecurity capabilities, we can reduce the risk of successful attacks like Operation Cyber Guardian.
Related Information:
https://www.ethicalhackingnews.com/articles/Singapores-Largest-Cyber-Defense-Operation-Reveals-Complexities-of-Modern-Telecommunications-Espionage-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/02/10/singapore_telco_espionage/
https://www.theregister.com/2026/02/10/singapore_telco_espionage/
https://www.straitstimes.com/tech/what-is-unc3886-the-group-that-attacked-singapores-telco-infrastructure
https://docs.fortinet.com/document/fortigate/7.4.8/administration-guide/872611/sending-malware-statistics-to-fortiguard
https://www.cisa.gov/news-events/alerts/2025/04/11/fortinet-releases-advisory-new-post-exploitation-technique-known-vulnerabilities
https://securityaffairs.com/187637/security/cve-2025-22225-in-vmware-esxi-now-used-in-active-ransomware-attacks.html
https://www.bleepingcomputer.com/news/security/cisa-vmware-esxi-flaw-now-exploited-in-ransomware-attacks/
https://www.cisa.gov/sites/default/files/2026-01/AR25-338A_Malware_Analysis_Report_Brickstorm_Backdoor.pdf
https://www.bleepingcomputer.com/news/security/cisa-warns-of-chinese-brickstorm-malware-attacks-on-vmware-servers/
https://attack.mitre.org/groups/G1048/
Published: Tue Feb 10 08:08:32 2026 by llama3.2 3B Q4_K_M
