Executive Summary

A sophisticated cyber espionage campaign attributed to the China-linked threat group UNC3886 has targeted Singapore’s telecommunications sector, specifically impacting major providers such as M1, SIMBA Telecom, Singtel, and StarHub. This campaign, which persisted undetected for nearly a year, leveraged multiple zero-day vulnerabilities in Fortinet and VMware products, advanced Linux rootkits, and credential harvesting techniques to gain and maintain access to critical telecom infrastructure. The operation, uncovered by Singapore’s Cyber Security Agency (CSA) and detailed by Mandiant, underscores the increasing complexity and persistence of state-sponsored threats against critical infrastructure. While no customer data loss or service disruption has been reported, the attackers exfiltrated sensitive technical network data, highlighting the urgent need for robust detection, patching, and incident response capabilities.

Threat Actor Profile

UNC3886 is a highly sophisticated, China-nexus advanced persistent threat (APT) group with a history of targeting telecommunications, government, technology, and defense sectors across Asia, North America, and Europe. The group is known for its technical acumen, including the development and deployment of custom malware, exploitation of zero-day vulnerabilities, and use of advanced rootkits for stealth and persistence. UNC3886’s operations overlap with other well-known Chinese APTs, such as APT41 (also known as Salt Typhoon), and are characterized by a focus on long-term, covert access to high-value targets. The group’s objectives are primarily espionage-driven, seeking to exfiltrate sensitive technical data, credentials, and potentially enable wiretapping or further supply chain compromise.

Technical Analysis of Malware/TTPs

The UNC3886 campaign against Singapore’s telecom sector demonstrates a multi-stage attack lifecycle, leveraging a combination of zero-day exploits, custom malware, and advanced persistence mechanisms.

Initial access was achieved through exploitation of several critical vulnerabilities, including CVE-2022-41328 and CVE-2022-42475 in FortiOS, as well as CVE-2022-22948, CVE-2023-20867, and CVE-2023-34048 in VMware vCenter and VMware Tools. These vulnerabilities enabled arbitrary file writes, remote code execution, and unauthenticated guest operations, allowing attackers to deploy backdoors and move laterally within virtualized environments.

For persistence and defense evasion, UNC3886 deployed the REPTILE kernel-mode Linux rootkit, which provides stealthy process, file, and network hiding capabilities, as well as reverse shell access. The MEDUSA rootkit, based on LD_PRELOAD techniques, was used for credential logging and command execution. Credential harvesting was further enabled by backdoored SSH clients and daemons, custom SSH servers, and injectors such as libvird and NetworkManage. The attackers also compromised TACACS+ daemons and deployed custom sniffers like LOOKOVER to capture credentials from network devices.

Custom malware families identified in this campaign include MOPSLED, a modular backdoor with HTTP-based command and control (C2) and plugin architecture, utilizing ChaCha20 encryption; RIFLESPINE, which leverages Google Drive for C2 and AES-encrypted file transfer; and a suite of VMCI backdoors (VIRTUALSHINE, VIRTUALPIE, VIRTUALSPHERE) for guest-to-guest and host-to-guest command execution on ESXi hosts.

Command and control infrastructure relied on trusted third-party services such as GitHub and Google Drive, as well as TLS-enabled backdoors using stolen certificates from compromised FortiGate devices. Internal reconnaissance was conducted using tools like NMAP, with a focus on mapping network management infrastructure and authentication servers.

Exploitation in the Wild

The campaign’s most significant impact was observed in Singapore, where all four major telecom providers were breached. Attackers maintained persistent access for nearly a year before being detected and evicted. The campaign’s TTPs have also been observed in attacks against telecom and critical infrastructure providers in the United States, Canada, Norway, and other regions, indicating a broad and ongoing threat to the global telecommunications supply chain. The attackers demonstrated a particular interest in network management systems and authentication infrastructure, suggesting a supply chain-oriented approach that could facilitate further downstream compromise.

Victimology and Targeting

UNC3886’s targeting is highly selective, focusing on telecommunications providers, government agencies, technology firms, and critical infrastructure operators. In Singapore, the group targeted M1, SIMBA Telecom, Singtel, and StarHub, exploiting their reliance on vulnerable Fortinet and VMware products. The attackers’ objectives centered on exfiltrating technical network data, credentials, and potentially enabling wiretapping or further supply chain attacks. No evidence of customer data loss or service disruption has been reported, but the exfiltration of sensitive internal data poses significant risks to operational security and national resilience.

Mitigation and Countermeasures

Organizations are strongly advised to immediately patch all Fortinet and VMware products to the latest versions, addressing CVE-2022-41328, CVE-2022-42475, CVE-2022-22948, CVE-2023-20867, and CVE-2023-34048. Security teams should conduct comprehensive audits for the presence of REPTILE and MEDUSA rootkits, as well as backdoored SSH and TACACS+ binaries. Network monitoring should be enhanced to detect suspicious outbound connections to GitHub, Google Drive, and known C2 IP addresses associated with UNC3886. Access to network management and authentication servers should be reviewed and restricted to the minimum necessary. Threat hunting should leverage the latest YARA rules and indicators of compromise (IOCs) provided by Mandiant and other reputable sources. Incident response plans should be updated to account for advanced persistence mechanisms and supply chain-oriented attack vectors.

References

Mandiant/Google Cloud: Cloaked and Covert: Uncovering UNC3886 Espionage Operations – https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations HelpNetSecurity: Singapore telcos breached in China-linked cyber espionage campaign – https://www.helpnetsecurity.com/2026/02/10/singapore-telecommunications-unc3886-cyber-espionage/ NVD: CVE-2022-41328 – https://nvd.nist.gov/vuln/detail/CVE-2022-41328 NVD: CVE-2022-42475 – https://nvd.nist.gov/vuln/detail/CVE-2022-42475 NVD: CVE-2022-22948 – https://nvd.nist.gov/vuln/detail/CVE-2022-22948 NVD: CVE-2023-20867 – https://nvd.nist.gov/vuln/detail/CVE-2023-20867 NVD: CVE-2023-34048 – https://nvd.nist.gov/vuln/detail/CVE-2023-34048 Trend Micro: Revisiting UNC3886 Tactics – https://www.trendmicro.com/en_us/research/25/g/revisiting-unc3886-tactics-to-defend-against-present-risk.html

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and critical infrastructure. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure operational resilience. For more information or to discuss how Rescana can support your organization’s cybersecurity posture, we are happy to answer questions at ops@rescana.com.