Singapore

Singapore mounts largest cybersecurity op against UNC3886, more than 100 cyberdefenders activated

MDDI Minister Josephine Teo (third from left) and CSA chief executive David Koh (left) viewing the technical demonstration at an engagement event for cyber defenders on Feb 9. - ST

SINGAPORE: More than 100 cyberdefenders from six government agencies and four local telcos have been involved in the fight against cyberespionage group UNC3886, making the coordinated countermeasures Singapore’s largest to date.

Operation Cyber Guardian was launched in March 2025, after the advanced persistent threat (APT) actor was discovered to have infiltrated telecommunication networks run by Singtel, StarHub, M1 and Simba Telecom, said the Cyber Security Agency (CSA) of Singapore in a statement on Monday (Feb 9).

Cybersecurity teams from six government agencies – CSA, the Infocomm Media Development Authority, the Centre for Strategic Infocomm Technologies, the Singapore Air Force’s Digital and Intelligence Service (DIS), the Government Technology Agency of Singapore and the Internal Security Department – were involved in the large-scale operation.

UNC3886 is such a challenging adversary partly due to its advanced tactics and ability to clean up its tracks, said CSA’s lead cybersecurity consultant Law Che Lin.

Likening the tactic to how a thief might clean up his footprints and thumbprints after breaking into a house, Mr Law said: “This made it hard to detect its activities in the network.”

He was speaking to the media on Feb 9 at CSA’s office in Punggol Digital District, where Minister for Digital Development and Information Josephine Teo publicly recognised the defenders for their efforts.

Law had co-led purple teaming efforts – which involves a red team that runs simulated attacks and a blue team fending off the attacks. The attacks mimicked the tactics used by UNC3886, which included the removal of logs and cleaning up traces of any activity.

“We worked in an iterative fashion, by simulating attacks and allowing defenders to validate their built-in defences and refine them. So if we do find any gaps, we also provide suggestions to remediate them.”

UNC3886 had gained initial access into telecommunication networks through a zero-day vulnerability – a hidden flaw with no known fix – at the perimeter firewall.

This is akin to finding a new key no one else had found to unlock the doors, said Teo on Feb 9.

Following the initial intrusion, UNC3886 was able to expand its presence using sophisticated malware, such as the Medusa rootkit, which is an advanced malware that can steal login credentials so it can move stealthily within the victim networks.

It can also evade detection by bypassing commercial antivirus scanners, and conceal other malware such as keyloggers and viruses.

UNC3886 was also able to evade detection by deploying advanced techniques like altering system logs, leaving no trail. The group also built its own back doors, allowing its attackers to secretly access the compromised telco networks without going through normal login security.

To stop the attackers, Singapore’s cyberdefenders closed off access points and changed login credentials. This prompted UNC3886 to switch tactics to lie low.

Though the attackers were able to access servers that manage and maintain internal telco systems, data exfiltrated is primarily network-related. There is no evidence that sensitive or personal data such as customer records were accessed or exfiltrated.

Months of preparation was required to study the affected networks and identify signs of compromise, said Military Expert 5 Eugene Tay, the team lead at the DIS’ Threat Hunting Centre, within the agency’s Cyber Protection Group.

“We combed through a large volume of data, which was time-consuming and required a sustained focus by the team,” said Tay, who declined to reveal the size of his team due to operational sensitivities.

The amount of data is due to the number of telcos under attack, and the varied nature of data that Singtel, StarHub, M1 and Simba deal with.

“Despite the mentally exhausting process, my defenders remained highly focused- and mission-oriented. The collective commitment by the team encouraged everyone to push through the demands of the work, and we remained disciplined throughout the operation,” said Tay.

This experience also highlighted the importance of government collaborations, as cybersecurity is a team sport that requires the diverse skill sets of each defender.

“Mutual trust also helps us to better respond and address the cyberthreat more effectively,” he added. - The Straits Times/ANN

 

 

Follow us on our official WhatsApp channel for breaking news alerts and key updates!
Singapore , cyberdefenders , UNC3886

Next In Aseanplus News
Asean news headlines as at 10pm on Friday (March 6)
Thailand grants 28.4mil baht to families of Myanmar workers killed in Bangkok collapse
India's ceramics and tiles industry faces shutdown as Middle East conflict disrupts fuel
HCM City aims to become drug free by 2030
Rafizi's former aide leaves it to lawyers to liaise with MACC
Jail for two Malaysians who withdrew money linked to scams from ATMS in Singapore
Cabinet approves new commission to look into gig workers' welfare, says Zahid
Jet Li says he 'failed' as a dad in the past after putting work over daughter
Vietnam to introduce supervised video calls for prisoners to contact relatives
Philippines' NBI rescues four child victims of online sexual exploitation in Cavite

Trending in AseanPlus

Others Also Read

Load more

Copyright © 1995- Star Media Group Berhad [197101000523 (10894-D)]

Best viewed on Chrome browsers.