Cyber Incident Victim: Simba
Date:
Jul 2025
Location:
Singapore
Summary
Singapore’s major telecom operators Singtel StarHub M1 and Simba were targeted by the China‑linked espionage group UNC3886 which used a zero‑day exploit and rootkits to infiltrate critical systems but did not disrupt services or exfiltrate customer data; the attackers obtained only limited technical information. A coordinated response called Operation Cyber Guardian involving six government agencies and Mandiant blocked the intrusion points enhanced monitoring and launched joint threat hunting and penetration testing to strengthen defenses against further attempts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In July 2025 Singapore’s Minister for Digital Development and Information Josephine Teo disclosed that four major telecom operators—Singtel, StarHub, M1 and Simba—had been targeted by a cyberattack carried out by the espionage group UNC3886. The attackers, described by Mandiant as a China‑nexus espionage group, managed to breach the perimeter firewalls of the telcos using a zero‑day exploit and gained access to a few critical systems within the networks. Although they deployed rootkits to maintain persistent access, conceal their activities and evade detection, the intrusion did not progress far enough to disrupt telecommunications services or to exfiltrate sensitive customer data. The attackers did succeed in stealing a small amount of technical data that appeared intended to help them map the telco environments.
In response, Singapore launched Operation Cyber Guardian, a coordinated effort involving 100 cyber defenders drawn from six government agencies: the Cyber Security Agency of Singapore, the Infocomm Media Development Authority, the Centre for Strategic Infocomm Technologies, the Digital and Intelligence Service of the Singapore Armed Forces, the Internal Security Department and GovTech. Operation Cyber Guardian was described by Teo as the largest coordinated cyber response in Singapore’s history. The IMDA reported that defenders blocked the attackers’ access points, enhanced monitoring across the targeted telcos and worked with the CSA to strengthen defenses, improve detection capabilities and deploy active monitoring systems. Telecom companies themselves instituted joint threat hunting, penetration testing and other capability‑enhancement measures as part of the remediation process.
The incident resulted in no service outages and no evidence of customer data theft, though the potential consequences had the attackers succeeded could have included the disruption of telecom or internet services and a consequent impact on national security and the economy. Teo emphasized that UNC3886 represents a more serious threat than previous state‑sponsored attacks because it targets critical systems that underpin essential public services. While the collective actions of Operation Cyber Guardian have contained the intrusion for now, authorities warned that future attempts to compromise telco infrastructure remain possible and that continued vigilance is required.