TL;DR: Singapore confirmed on February 10 that Chinese state-linked hackers breached all four of the nation's major telecom carriers: Singtel, StarHub, M1, and Simba. The attackers used zero-day exploits to bypass firewalls, planted rootkits for long-term access, and stole network architecture data. Singapore's response, dubbed "Operation Cyber Guardian," involved 11 months of defensive operations across multiple government agencies, the largest coordinated cyber incident response in the country's history. The government says no customer data was stolen and services weren't disrupted, but the attackers got exactly what they wanted: detailed maps of telecom infrastructure they can exploit later.
No One Escaped
The hackers didn't pick their targets randomly. They hit every major telecom in Singapore [1]. That's not a surgical strike: it's a sweep.
- Singtel: Southeast Asia's largest telecom by revenue, with operations across 21 countries
- StarHub: Singapore's second-largest carrier
- M1: Third largest, popular for mobile services
- Simba Telecom: Mobile virtual network operator
Singapore attributes the attack to a group called UNC3886, described by security researchers as a "China-nexus cyber espionage group" with ties to China's Ministry of State Security [1]. The tactics match Salt Typhoon, the same campaign that burrowed into AT&T, Verizon, and telecom networks across 80 countries [2].
Singapore officially declined to publicly blame China. But when your intelligence agencies say "China-nexus" and independent researchers say "Salt Typhoon," the attribution is clear enough.
Zero-Days and Rootkits
The attackers weren't amateurs. They used at least one previously unknown zero-day vulnerability (a flaw no one knew existed) to bypass a telecom's perimeter firewalls [1].
Once inside, they deployed rootkits. These are the digital equivalent of hiding in the foundation of a house. Rootkits embed themselves deep in a system's core, surviving reboots and often evading detection for months or years. They're designed for one thing: long-term persistence [1].
Singapore's Cyber Security Agency confirmed the attackers stole "limited technical data, primarily network architecture information" [3]. That sounds benign until you realize what network architecture maps actually are: blueprints for future attacks.
If you know how a telecom's systems connect, where the servers sit, how traffic routes through switches and routers, you can find soft spots to exploit later. You can position yourself for wiretap access: the same access Salt Typhoon used in the US to compromise FBI surveillance infrastructure.
Eleven Months in the Trenches
Singapore's response was massive. "Operation Cyber Guardian" ran for 11 months across multiple government agencies, including the Cyber Security Agency, the Infocomm Media Development Authority, and the Centre for Strategic Infocomm Technologies [3].
The operation involved:
- Closing every access point the attackers had established
- Enhanced monitoring across all four carriers
- Coordination between government defenders and private sector security teams
- Threat hunting to identify any remaining footholds
This is the largest coordinated cyber incident response in Singapore's history. When your entire telecom infrastructure gets breached by a foreign government, you don't send a memo, you go to war.
What They Took (And What They Didn't)
Singapore's government says no customer data was stolen and services weren't disrupted [1]. That's the good news.
But here's what the Cyber Security Agency actually said: "The attack by UNC3886 has not resulted in the same extent of damage as cyberattacks elsewhere" [3].
Read that carefully. "Not the same extent of damage as elsewhere." They're comparing Singapore to what happened in the US, where Salt Typhoon compromised:
- Call metadata from over a million users in the Washington D.C. area
- Audio recordings of phone calls from political targets, including Trump and Vance campaign staff
- CALEA wiretap systems: the infrastructure the FBI uses for court-authorized surveillance
- Potentially, email accounts used by congressional staff [4]
Singapore caught them faster. But the hackers still got network architecture data. They mapped the terrain. That information has value for years.
The Global Picture
Singapore is just the latest confirmation in what the FBI calls one of "the most consequential cyber espionage breaches" in US history [2]. Here's the current scope:
- 80+ countries targeted: The FBI says Salt Typhoon hackers hit organizations across more than 80 nations
- 200+ US organizations: Including AT&T, Verizon, T-Mobile, and Lumen Technologies
- Norway confirmed February 6: Norwegian intelligence called it the country's "most serious security situation since World War II"
- Singapore confirmed February 10: All four major carriers breached
- UK, Canada, and others: Joint advisories from Five Eyes intelligence partners suggest even wider impact
This isn't a series of isolated incidents. It's a coordinated global campaign to compromise the infrastructure that carries your phone calls, texts, and internet traffic.
Singapore Told the Truth. AT&T and Verizon Won't.
Here's what's infuriating about Singapore's disclosure: it makes US telecoms look even worse.
On February 5, Senator Maria Cantwell revealed that AT&T and Verizon are actively blocking Congress from seeing security assessments about the Salt Typhoon breach [5]. Mandiant (the Google-owned cybersecurity firm that conducted the assessments) declined to hand over materials after receiving direction from both telecoms [5].
"AT&T and Verizon CEOs need to come clean," Cantwell said, demanding a public hearing [5].
Singapore, a city-state of 5.9 million people, published details about their breach, named the threat actor, described the attack methods, and explained their response. Two American telecoms with over 200 million combined subscribers won't even let Congress see their homework.
Senator Cantwell is now threatening subpoenas [5]. Meanwhile, reports suggest Salt Typhoon hackers may have breached email accounts used by congressional staff, including those on the House Intelligence and Armed Services committees [4].
What You Can Do
Salt Typhoon targets telecom infrastructure. That means your carrier's network (the system that handles your calls, texts, and data) may be compromised regardless of what phone you use. Here's how to protect yourself:
- Use end-to-end encrypted messaging. Signal encrypts your messages so even if the network is compromised, your content stays private. Regular texts and phone calls travel through the same infrastructure Salt Typhoon penetrated.
- Switch to authenticator apps for 2FA. SMS-based two-factor authentication uses your carrier's network. If that network is compromised, so are your text-based codes. Use an authenticator app instead.
- Assume your call metadata is logged. Who you called, when, and for how long: this data was compromised in the US attacks. Act accordingly.
- Use a VPN for sensitive activities. A VPN encrypts your internet traffic before it reaches your carrier's infrastructure.
The Bottom Line
Singapore's disclosure confirms what security researchers have been warning for months: Salt Typhoon is a global operation targeting telecom infrastructure worldwide. The attackers are sophisticated, patient, and well-resourced. They use zero-days. They plant rootkits. They map networks for future exploitation.
Singapore mounted an 11-month defensive operation and was relatively transparent about what happened. The US, with nine confirmed breached telecoms and compromised wiretap infrastructure, still can't get straight answers from its own carriers.
If you're waiting for your telecom to tell you whether your data was compromised, you'll be waiting a long time. Protect yourself now.
Sources
- TechCrunch: "Singapore says China-backed hackers targeted its four largest phone companies" (February 10, 2026)
- Nextgov: "Salt Typhoon hackers targeted over 80 countries, FBI says" (August 2025)
- Help Net Security: "Singapore telcos breached in China-linked cyber espionage campaign" (February 10, 2026)
- Senate Commerce Committee: "Cantwell Demands AT&T, Verizon CEOs Come Clean on Salt Typhoon Hacks" (February 2026)
- CyberScoop: "Cantwell claims telecoms blocked release of Salt Typhoon report" (February 2026)