Cyber Incident Victim: Simba
Date:
Feb 2026
Location:
Singapore
Summary
UNC3886, a sophisticated cyber‑espionage group, compromised the backbone networks of Singapore’s four major telecommunications providers, including Simba, using zero‑day exploits, rootkits and advanced persistence techniques to gain long‑term access to infrastructure and technical data. The breach gave the attackers upstream visibility into the telcos’ traffic, enabling them to monitor authentication, siphon data and maintain persistent access without directly entering downstream enterprise environments. This upstream compromise turned the telcos into collection points that could be leveraged for intelligence gathering across government, enterprise and individual communications that rely on those networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In February 2026, Singapore authorities disclosed that the cyber‑espionage group UNC3886 had penetrated the networks of the four major telecommunications operators serving the country, namely Singtel, StarHub, M1, and Simba. The disclosure stated that the attackers employed zero‑day exploits, rootkits, and advanced persistence techniques to establish a foothold. According to the report, the intrusion allowed the threat actors to obtain long‑term access to the telcos’ backbone infrastructure and associated technical and network data. The attackers’ activity was described as sustained and designed to remain undetected for extended periods.
The compromised telcos constitute a core component of Singapore’s national communications infrastructure, providing connectivity for government agencies, enterprises, and individual consumers. Because the networks of Singtel, StarHub, M1, and Simba were all accessed, the breach affected a broad segment of the country’s telecommunications backbone. The article notes that the intrusion gave the adversary visibility into the routing and authentication pathways that underlie downstream services. This access positioned the telcos as potential collection points for signals intelligence without requiring direct intrusion into customer environments.
The incident illustrates how shared dependencies such as telecom routing, cloud adjacency, managed service channels, and identity federation can become simultaneous collection surfaces for multiple threat actors. The article explains that when different actors arrive through the same upstream infrastructure, the result is a structural exposure that is not dependent on any single campaign. It further states that the access gained by UNC3886 is persistent and embedded, meaning the adversary can maintain presence in the infrastructure that organizations rely on for their communications. The disclosure prompted Singapore to acknowledge the breach publicly and to note the implications for national infrastructure security.