On the morning of February 9, 2026, while most of Singapore was focusing on the daily commute and the first coffee of the day, a press release from the Cyber Security Agency (CSA) and the Infocomm Media Development Authority (IMDA) quietly reshaped our understanding of national digital security. It wasn’t a report of a disaster, but rather the disclosure of a silent war that had been waged in the shadows of our fibre-optic cables for nearly a year.
Operation Cyber Guardian was not just another breach notification. It was the public conclusion of the largest, most complex coordinated cyber incident response in Singapore’s history. For eleven months, over a hundred of the nation’s best cyber defenders from six different agencies had been locked in a high-stakes game of digital chess with one of the world’s most disciplined threat actors: UNC3886.
As someone who has spent over two decades in the trenches—from the early days of configuring Cisco PIX firewalls to advising C-suite executives on multi-cloud security—I’ve seen my fair share of “game-changers.” But this? This was different. This wasn’t just about a “hacker” getting in; it was about how a modern nation-state response can actually win without the public ever knowing there was a fight.
The Invisible Intruder: Who is UNC3886?
To understand the scale of Operation Cyber Guardian, we first have to talk about the adversary. UNC3886 is not your typical “smash and grab” cybercriminal group looking for a quick ransomware payout. They are a sophisticated, likely China-nexus Advanced Persistent Threat (APT) group that specialises in what I call “deep-tissue” espionage.
They don’t target users with crude phishing emails. Instead, they target the infrastructure itself—the networking and virtualisation layers that everything else sits on. In this campaign, they took aim at the very backbone of Singapore’s digital economy: all four major telecommunications providers—Singtel, StarHub, M1, and SIMBA Telecom.
Imagine a burglar who doesn’t try to pick the lock on your front door. Instead, they bribe the architect, get the original blueprints, and build a secret crawlspace behind your walls that you never knew existed. That is the UNC3886 playbook. They utilised zero-day vulnerabilities in Fortinet, VMware, and Juniper systems—hardware and software that form the “trusted” perimeter of almost every major enterprise.
Perimeter Defence: A 20th-Century Relic
For years, I’ve sat in boardrooms across Singapore and the Asia Pacific, listening to vendors pitch the latest “unbreakable” firewall. The prevailing logic was always: “Build a high enough wall, and we’re safe.”
Frankly, the UNC3886 campaign proves that this logic is not just outdated; it’s dangerous.
When an attacker uses a zero-day exploit, your firewall isn’t a barrier; it’s a gateway. By exploiting vulnerabilities that were unknown even to the manufacturers, UNC3886 was able to bypass the perimeter entirely. Once inside, they deployed custom rootkits—specifically backdoors based on the TINYSHELL framework—to maintain persistence. They weren’t just “in” the network; they were part of it, hiding in the noise of legitimate technical traffic.
I remember advising a regional telco back in 2018. They were incredibly proud of their “Fortress” approach. I asked the CTO, “What happens when the intruder is already inside, and they have the keys to the kingdom?” He laughed and said, “That’s why we have the perimeter.” Operation Cyber Guardian is the ultimate “I told you so” moment for the cybersecurity community. The perimeter didn’t fail; it was simply bypassed.
The Shift to Coordinated Resilience
What makes Operation Cyber Guardian remarkable isn’t the breach itself—breaches happen—but the response. This was a masterclass in what I call “Coordinated Resilience.”
In the old days, a breach at Singtel would be handled by Singtel. Maybe they’d call in a consultant, and eventually, they’d notify the regulator. But in the era of systemic risk, silos are the enemy. UNC3886 wasn’t just attacking a company; they were attacking a sector.
The response involved six different agencies: the CSA, IMDA, the Centre for Strategic Infocomm Technologies (CSIT), the Digital and Intelligence Service (DIS), GovTech, and the Internal Security Department (ISD). This wasn’t just a group of people in a room; it was a fusion of civilian, military, and intelligence capabilities.
The “Guardian” approach shifted the focus from merely “cleaning up” to “containing and observing.” They detected the intrusion in March 2025. Think about that for a second. They knew the attackers were there for nearly a year before the public disclosure. Instead of a knee-jerk reaction that might have alerted the attackers and caused them to go deeper or pivot to more destructive tactics, the agencies worked with the telcos to contain the threat while gathering intelligence on the group’s methods.
This is the digital equivalent of a heart transplant performed while the patient is running a marathon. They had to neutralise the threat without disrupting internet or phone services for millions of Singaporeans. And they succeeded.
The “Silent Victory”: Why Success is Hard to Measure
In the world of technology, we love metrics. We love “99.999% uptime” and “zero data loss.” But the greatest successes in cybersecurity are often the things that didn’t happen.
In the case of Operation Cyber Guardian, the list of “didn’ts” is impressive:
- No service disruption: Not a single dropped call or internet outage was attributed to this 11-month battle.
- No customer data theft: There is no evidence that customer records, personal data, or billing info were exfiltrated.
- No panic: Because the response was coordinated and controlled, the attackers were never given the chance to “burn the house down” on their way out.
The bottom line is that the attackers did steal some technical network data. It’s likely they now have a better map of our network topology for future operations. But compared to the potential for total systemic collapse, this is a minor loss. It’s the difference between a thief stealing the blueprints to a vault versus stealing the gold inside. We can change the blueprints; we can’t always get the gold back.
A New Framework for the APAC Boardroom
If you are a C-level executive or a board member in Singapore today, you should be asking yourself a very different set of questions than you were two years ago.
The old question was: “Are we secure?” The new question must be: “How resilient are we when we are breached?”
Operation Cyber Guardian highlights a few critical shifts that every enterprise in the Asia Pacific needs to internalise:
1. Zero-Trust is Not a Product, It’s a Philosophy
Stop buying “Zero-Trust” boxes. Zero-Trust means assuming that the perimeter is already compromised. It means verifying every single request, regardless of where it comes from. UNC3886 stayed in the networks for months because they were able to move laterally using “trusted” technical credentials. In a true Zero-Trust environment, that lateral movement becomes infinitely harder.
2. Visibility is the New Perimeter
You cannot protect what you cannot see. The reason the telcos were able to detect the breach in March 2025 wasn’t because a firewall “blocked” it, but because their monitoring systems picked up anomalous behaviour. Deep network visibility—the ability to see into the “dark corners” of your virtualisation layers—is no longer optional.
3. Collaboration is a Strategic Capability
Is your security team on a first-name basis with the CSA? Do you participate in sectoral threat-sharing exercises? If you’re waiting for a breach to happen before you build those relationships, you’ve already lost. The success of Operation Cyber Guardian was built on months and years of quiet, pre-existing collaboration between the telcos and the government.
The Singapore Blueprint: Leading by Example
Singapore has always punched above its weight in the global arena, and Operation Cyber Guardian is no exception. This operation is already being compared to the “Salt Typhoon” campaign in the United States, where China-nexus actors targeted major US telcos. However, the level of multi-agency coordination seen in Singapore is, in many ways, a more advanced model.
By bringing together the DIS (our fourth military arm) with civilian agencies like the CSA and IMDA, Singapore has created a “Total Defence” for the digital age. It acknowledges that the lines between national security, economic security, and personal privacy are now permanently blurred.
I remember a conversation I had with a CIO in the early 2010s. He asked me what the biggest threat to Singapore’s future was. I told him it wasn’t a physical invasion, but the “invisible erosion of trust” in our digital infrastructure. Operation Cyber Guardian is the antidote to that erosion. It shows that while we cannot prevent every attack, we can respond with such overwhelming coordination and competence that the attackers fail to achieve their strategic goals.
Final Thoughts: The Road Ahead
The conclusion of Operation Cyber Guardian on February 9th was a victory, but it was not the end of the war. UNC3886 and groups like them are constantly evolving. They are already looking for the next zero-day, the next unpatched server, the next “trusted” administrator.
The lesson for the rest of us is that we must stop chasing the phantom of “perfect security.” It doesn’t exist. Instead, we must invest in the messy, difficult, and often invisible work of resilience. We need to build systems that can fail gracefully, teams that can collaborate across boundaries, and a culture that values transparency and coordinated response over the pride of a “perfect” (but brittle) perimeter.
Singapore has shown us the blueprint. Now, it’s up to the rest of the Asia Pacific to follow suit. The next “Operation Guardian” might be happening right now, in a network near you. The question is: will you be ready to join the fight, or will you still be hiding behind a wall that isn’t there?