The Cyber Security Agency of Singapore (CSA) and the Infocomm Media Development Authority (IMDA) are taking steps to defend the country’s telecommunications sector through a multi-agency cybersecurity operation, codenamed Operation CYBER GUARDIAN.
According to Coordinating Minister for National Security K Shanmugam, the Advanced Persistent Threat (APT) actor UNC3886 had been detected attacking our critical infrastructure. No further details were shared then, to preserve operational security.
Over the past months, investigations have indicated that UNC3886 had launched a deliberate, targeted, and well-planned campaign against Singapore’s telecommunications sector. All four of Singapore’s major telcos – M1, SIMBA Telecom, Singtel and StarHub – have been the target of attacks.
APTs are sophisticated and persistent, getting past defences with advanced methods over time. UNC3886 is an APT actor with deep capabilities. UNC3886 deployed advanced tools in their campaign to gain access into the telco systems.
In one instance, they used a zero-day exploit to bypass a perimeter firewall of our telcos and gained access into our telco networks. They also managed to exfiltrate a small amount of technical data; this is believed to be primarily network-related data to advance the threat actors’ operational objectives.
In another instance, the threat actor utilised advanced tools and techniques such as rootkits to maintain persistent access and cover their tracks and evade detection. This made it challenging for cyber defenders to detect their presence, requiring the cyber defenders to conduct comprehensive security checks across the networks.
The threat actor’s activities were initially detected by the telcos, who then notified IMDA and CSA of the breach. CSA, IMDA and other government agencies swiftly launched a coordinated whole-of-Government response, in partnership with the telcos to contain the breach.
Operation CYBER GUARDIAN is Singapore’s largest coordinated cyber incident response effort undertaken to date, spanning more than 11 months. Over 100 cyber defenders across agencies such as CSA, IMDA, the Centre for Strategic Infocomm Technologies (CSIT), the Digital and Intelligence Service (DIS), the Government Technology Agency of Singapore (GovTech) and the Internal Security Department (ISD) were involved in the operation.
So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere.
The threat actor was able to gain unauthorised access into some parts of telco networks and systems. In one instance, they were able to gain limited access to critical systems but did not get far enough to have been able to disrupt services.
There is no evidence to-date that sensitive or personal data such as customer records were accessed or exfiltrated.
There is also no evidence that the threat actor managed to disrupt telecommunications services such as internet availability.
Cyber defenders have since implemented remediation measures, closed off UNC3886’s access points and expanded monitoring capabilities in the targeted telcos.
“Telcos are strategic targets for threat actors, including state-sponsored ones. They play a foundational role in powering the digital economy and transmit vast amounts of information, including sensitive data,” said Shanmugam.
“If threat actors succeed in attacking our telcos, they have the potential to undermine our national security and our economy.”
Telcos have also been putting in place interventions including joint threat hunting, penetration testing, and levelling up of capabilities.
CSA will also be progressively introducing initiatives to raise the level of capabilities across the cyber ecosystem, to enable better and more timely responses against cyber threats and to strengthen Singapore’s cyber defences.
