Chinese-linked APT exploits zero-day and rootkits against Singapore telcos

🇸🇬Singapore

TelecommunicationsCybersecurity

Tue, Feb 10, 2026

Singapore’s national cyber authorities disclosed that an advanced persistent threat believed to be linked to China conducted a coordinated intrusion campaign against the country’s four main telecommunications providers. Attackers leveraged at least one previously unknown firewall vulnerability along with stealthy kernel-level tools to obtain persistent access to selected network segments. The intrusions produced only narrowly scoped data retrievals and did not, according to investigators, interrupt public telecom services or result in confirmed exfiltration of customer records. The campaign exploited networking and virtualization product weaknesses that the adversary has used in other operations, signaling a sustained focus on infrastructure components that create high-value access. Authorities describe the operation as deliberate and carefully staged, indicating substantial reconnaissance and planning prior to exploitation. In response, regulators and the affected operators have undertaken containment actions, closed discovered access paths, patched vulnerable systems where possible, and intensified cross-network monitoring. Officials caution that the attacks underscore telcos’ attractiveness to nation-grade attackers because communications providers sit atop sensitive routing and subscriber infrastructures. The incident highlights gaps in legacy appliances and the operational risk from unpatched or end-of-life systems that remain exposed in production environments. Moving forward, Singapore plans to bolster rapid incident response capabilities, accelerate threat-sharing among operators, and push for tighter security hygiene across critical vendor platforms. The episode also raises pressure on procurement and supplier-assurance policies for telecom gear, as well as demands for sustained investment in detection engineering. While the immediate technical impact was contained, the campaign serves as a reminder that adversaries will continue probing telecom systems for persistent footholds with sophisticated toolsets. The coordinated public-private response aims both to harden networks and to reduce the window of opportunity for similar intrusions in future.

PREMIUM ANALYSIS

Read Our Expert Analysis

Create an account or login for free to unlock our expert analysis and key takeaways for this development.

By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.

Free Access

No Payment Needed

Join Thousands of Readers

Recommended for you

Cybersecurity

Dell RecoverPoint Zero-Day Exploited by China-Linked Cyberespionage Group

A China-linked espionage cluster abused a hardcoded-credential flaw in Dell RecoverPoint for Virtual Machines to escalate privileges, move laterally, and deploy bespoke malware; Dell released patch 6.0.3.1 HF1 and vendors published IoCs and behavioral indicators. The incident underscores a broader trend of rapid weaponization of management and recovery tooling, forcing organisations to pair urgent patching with compensating network controls and extended telemetry into virtualization stacks.

Cybersecurity

Cisco firewall zero-day exploited by Interlock, Amazon intel shows

Amazon threat researchers link a critical Cisco firewall flaw, tracked as CVE-2026-20131, to active Interlock ransomware operations and show exploitation began weeks before Cisco’s March patch. Government and vendor telemetry (including CISA advisories and independent vendor reports) broaden the picture: large-scale automated scanning and follow-on exploitation were observed across many appliances, prompting published IoCs and urgent hunt guidance.

Cybersecurity

Google GTIG: Zero‑Day Exploits Shift Toward Enterprise Targets in 2025

Google’s GTIG logged 90 exploited zero‑days in 2025 and a record portion hit enterprise infrastructure; commercial spyware vendors and OS flaws drove much of the shift. Field cases — including a long‑running WinRAR exploit and rapid weaponization of disclosed appliance flaws — illustrate how automation and exploit brokerage compress the timeline from discovery to impact.

Cybersecurity

Salt Typhoon hackers believed to be retaining stolen telecom data for later exploitation

An FBI cyber official warned the China-linked group Salt Typhoon likely preserved exfiltrated telecom records as a long-term intelligence cache rather than for immediate monetization. Investigators say the intrusion touched dozens of providers and may involve data tied to more than one million U.S. residents, heightening risks from future targeted surveillance and fraud.

Cybersecurity

APT37 expands toolkit to pierce air gaps using removable media and cloud C2

Zscaler observed a December 2025 APT37 campaign that combined five newly identified modules — including a memory‑resident loader, a backdoored interpreter runtime, a USB relay spreader and an Android surveillance app — to pierce air‑gapped enclaves while using a mainstream cloud storage service for command-and-control. Defenders should couple stricter removable‑media controls with identity‑first telemetry and cross‑service signal fusion; platform takedowns help but do not eliminate the underlying tradecraft.

Cybersecurity

China-linked actors exploited hosting compromise to hijack Notepad++ updater

Notepad++ disclosed that attackers, likely backed by China, used a compromised shared hosting environment to reroute selective users to malicious update servers. The project moved hosting and added client-side update verification after the intrusion, which persisted in parts from June through December 2025.

Cybersecurity

Cisco SD‑WAN Compromised; CISA and Five Eyes Order Emergency Hunts

CISA and Five Eyes partners warned of active exploitation against Cisco SD‑WAN, flagging two tracked CVEs and urging immediate hunts, log preservation, and patching. The alert joins a string of rapid, high‑impact exploit events (Fortinet, SolarWinds and other KEV additions), compressing remediation windows and forcing both near‑term incident response and longer‑term edge‑device inventory and replacement planning.

Cybersecurity

Zimbra: Russian APT exploits stored XSS to siphon mailbox data

A stored XSS in Zimbra Classic UI (CVE-2025-66376, CVSS 7.2 ) has been weaponized in targeted campaigns that exfiltrate up to three months of mailbox content. CISA added the flaw to its KEV list and ordered federal patching within two weeks, driving urgent remediation across public and private mail platforms.