Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam

Ministry of Digital Development and Information
Speeches

Opening Speech by Minister Josephine Teo at the Operation Cyber Guardian Engagement Event for Cyber Defenders

9 February 2026

Colleagues and Friends

Introduction

  1. Last year in July, our Coordinating Minister for National Security, Minister Shanmugam disclosed that we had detected a cyber-attack against our critical information infrastructure.

    1. This was a serious attack.

    2. The attacker was UNC3886, an entity with advanced capabilities.

    3. They are persistent, and do not give up easily just because they have been detected or identified.

  2. That same weekend, at my constituency event, some curious residents asked me “Are we really under attack? How do we know?”

  3. In fact, UNC3886 is not the first cyber-attack to target Singapore.

    1. In 2014, an attacker likely linked to a foreign Government gained access into the Ministry of Foreign Affairs’ IT system and tried to steal sensitive information.

    2. In 2018, attackers infiltrated SingHealth’s systems and stole more than 1.5 million records, including that of former Prime Minister Lee Hsien Loong. These attackers were also likely linked to a foreign Government.

  4. UNC3886 posed a potentially more serious threat than these previous attacks.

    1. It targeted critical systems that directly provide vital essential services to the public.

    2. At stake was not just sensitive data.

    3. The consequences could have been more severe; if the attack went far enough, it could have allowed the attacker to one day cut off telecoms or internet services.

  5. But the residents’ questions remind us that the potential consequences of a cyber-attack are not well known.

    1. Besides the loss of data or sensitive information, there are usually no visible signs in the physical world, such as collapsed buildings or human casualties.

    2. As a result, most people find it hard to picture cyber-attacks and the growing risks we face.

  6. Yet, around the world, state-linked threat actors have stepped up their activities.

    1. Last year, US authorities reported that an Advanced Persistent Threat (APT) actor known as Volt Typhoon had infiltrated US critical infrastructure.

      1. They were found not just in one sector but several.

      2. These include the energy, water, transportation, and telecommunications sectors.

    2. In December last year, Polish authorities reported a sophisticated cyberattack targeting Poland’s power grid.

      1. The threat actors did not succeed.

      2. But we can imagine the severe consequences if they did.

      3. The loss of electricity and heating would be the start.

      4. Thereafter, factories, hospitals, airports and trains, anything that relies on power, would potentially all come to a standstill!

Singapore’s Telcos Attacked

  1. This is why we do not take lightly the attack mounted by UNC3886.

  2. At a broader level, if such cyber threats are not properly dealt with,

    1. We may eventually allow the attackers to steal national secrets.

    2. In the worst scenario, the disruption of essential services can cripple economies and weaken a nation’s ability to protect its citizens.

    3. It is precisely because the impact can be so severe that APTs are often state-sponsored.

  3. Therefore, since UNC3886 was discovered, CSA and relevant partner agencies have been working closely with the affected companies to investigate the attack and ensure our systems remain safe to use.

    1. Our investigations show that the attacks by UNC3886 were a deliberate, targeted, and well-planned campaign against our telecommunications sector.

    2. All four of our major telcos – Singtel, StarHub, M1 and Simba – have been targets of attacks.

  4. In what ways could we see the sophistication of UNC3886?

    1. In one instance, they used a zero-day exploit – a hidden flaw, with no known fix.

    2. This is like finding a new key that no one else had found, to unlock the doors to our telcos’ information system and networks.

    3. Once it gained entry, UNC3886 managed to steal a small amount of technical data – likely data that will help them to understand the terrain and what they are dealing with.

  5. Like other APTs, UNC3886 also used advanced techniques to cover their tracks and evade detection. This made it a bigger concern.

    1. First, they were more capable of accessing sensitive information for espionage.

    2. Second, they could deploy more tools to disrupt telecoms and internet services. Everything that requires a phone or internet connection would then be affected.

    3. The knock-on effects of their campaign could also have included other essential services like banking and finance, transport, and medical services.

  6. There is no shortage of examples overseas that show the damages caused by compromised telco infrastructure.

    1. In April of last year, an attack on SK Telecom in South Korea exposed the SIM data of nearly 27 million users.

    2. Last year, US authorities reported that APT group Salt Typhoon had infiltrated a large number of US telecommunications providers and may have obtained sensitive military or law enforcement information.

  7. Successful cyber-attacks can also affect the trust and confidence in Singapore as a whole, and our economic security.

    1. We are a trusted international financial, logistics centre. Many MNCs also choose to house their global headquarters here because of our safe and reliable digital connectivity.

    2. Businesses may shy away from Singapore if they are unsure about our systems – whether the systems are clean, resilient, and safe.

Operation Cyber Guardian

  1. So far, the attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere.

    1. This is not a reason to celebrate.

    2. Rather it is to remind ourselves that the work of our cyber defenders matters.

    3. We depend on their vigilance and hard work to keep Singaporeans safe.

  2. Who are these cyber defenders and what did they do in this case? Allow me to share a few examples:

    1. Mr Alex Aw is a senior cybersecurity consultant with CSA’s National Cyber Incident Response Centre. He and his team were one of the first responders to the incident, executing strategies to contain the attack and collect evidence for forensic investigation.

    2. Mr Anson Yap, a Threat Intelligence and Response specialist from IMDA, and ME5 Eugene Tay, from the Cyber Protection Group of the Digital Intelligence Service, led teams to study the affected networks and hunt for threats within the telco networks.

    3. There are many others like them across our agencies and in our telcos, who work round the clock to monitor and detect potentially hostile activities across their systems.

  3. Upon discovery of the breach, cyber defenders in the telcos promptly alerted IMDA and CSA.

    1. CSA, IMDA, and other government agencies swiftly launched a coordinated response in partnership with our telcos, to contain the breach.

    2. A multi-agency effort, codenamed Operation CYBER GUARDIAN, was mounted.

  4. Operation CYBER GUARDIAN is the largest coordinated cyber response from Singapore to date.

    1. It involved more than 100 cyber defenders across six government agencies – CSA, IMDA, the SAF’s Digital and Intelligence Service (DIS), Centre for Strategic Infocomm Technologies (CSIT), Internal Security Department, and GovTech – all working in close partnership with our telcos.

    2. Operation CYBER GUARDIAN has managed, for now, to limit the attackers’ activities.

  5. So far, our attackers have not been able to get further into our telco networks.

    1. In one instance, they were able to gain access to a few critical systems, but did not get far enough to have been able to disrupt services.

    2. There is also no evidence thus far to suggest that the attackers were able to access or steal sensitive customer data from our telcos.

  6. It is not a given that the public and private sectors work as closely as they did to implement Ops CYBER GUARDIAN. We have been able to do so, due in large part, to our national doctrine of cyber defence.

    1. In 2020, government agencies came together to author a classified document that outlines Singapore’s approach to cyber defence. It guides our approach to capability development, and outlines the roles and responsibilities of both the public and private sector in our cyber defence, and the actions that should be undertaken during a cyber incident. We have been working on this and practicing our plans for several years, but this is the first time we have implemented the plan in an actual operation.

    2. For a digitally connected country like Singapore, the coordinated approach laid out in the doctrine ensures that we are able to effectively protect our cyberspace, with the resources we have available.

Cyber Defence: A continuing fight and a shared responsibility for all

  1. But we must also be realistic.

  2. Whilst our collective defensive efforts have contributed to containing the attacks so far, we are up against very sophisticated and persistent actors.

    1. Some are backed by countries with formidable resources both in manpower and technology.

    2. These threat actors will not give up so easily to regain a firmer foothold in our telco systems.

  3. We must also be prepared that our other critical infrastructure, such as our power, water and transport systems may be targeted. After all, they are common targets in other countries!

  4. In short, the fight continues, and we must all do our part.

  5. Our critical infrastructure operators, many of whom are private companies, play an especially important role.

    1. You are at the frontlines of the battle against cyber threat actors. Your actions, or inaction, can determine whether we succeed or fail in protecting our critical infrastructure, and our national security.

    2. I urge all of you to continue investing in upgrading your capabilities as well as your systems.

    3. Leaders, including at the Board and Management levels, must also take cybersecurity seriously and provide close oversight to their teams.

  6. The Government will continue to partner you closely in this.

    1. We have been organising cybersecurity exercises like Exercise Cyber Star and CIDEX to improve our readiness and incident response.

    2. As shared previously, we have also taken steps to share classified threat intelligence with critical infrastructure operators to facilitate early threat detection and response.

  7. But even as we try our best to prevent and detect cyber-attacks, we may not always find ourselves in a position to stop all of them. We must therefore be prepared for the threat of disruption. This is also why the focus of this year’s Total Defence exercise is readiness in the face of disruptions.

Conclusion

  1. In conclusion, today’s event recognises the vital role of our cyber defenders. Your good work helps keep Singaporeans safe.

  2. At the same time, we acknowledge the need to work together as a team, so that we can be effective against very sophisticated adversaries.

  3. Let’s keep up the strong partnership to collectively protect everything we care about in Singapore. Thank you very much.


Back to top