Threat actors have always sought advantage over their targets. Recently we’ve seen two efforts designed for long-term intelligence gain. This activity surfaced right where you would expect inside the enterprise.
Enterprises now sit directly in the adversary’s collection path. They don’t have to be the target; they are on the board and in play because they ride on the same infrastructure the adversary is already exploiting. The CISO’s challenge is to ensure their organization doesn’t become an intelligence channel for someone else simply by virtue of how it connects to the world.
Convergence
Two unrelated campaigns are now intersecting across the same operational dependencies.
The overlap is not coordination; it’s the predictable byproduct of how modern infrastructure centralizes access. When everything routes through a handful of shared services, shared identity layers, and shared connectivity providers, the adversary doesn’t need to coordinate. They simply arrive through the same door.
The targeted collection surfaces are well understood: telecom routing, cloud adjacency, managed service channels, and identity federation. These are the connective tissues enterprises rely on to function. They are also the connective tissues adversaries exploit to monitor authentication, siphon data, and maintain long‑term access without ever touching the enterprise directly.
When actors with different missions arrive through the same dependencies, it signals a structural exposure problem. Because these dependencies are shared and unavoidable, the issue is not the individual campaign. It’s the architecture that allows both campaigns to operate upstream of the enterprise with minimal friction and maximum persistence.
Commercial spyware as an intelligence channel
Criminal operators deploying Predator, a spyware suite sold by the sanctioned Intellexa consortium, have been documented across more than a dozen countries. US sanctions haven’t slowed them down an iota. Their targets are not random: journalists, activists, politicians, human‑rights defenders, government employees and contractors, and other high‑value individuals. Why? These targets have access to information of value that extends well beyond the device. I’ve long posited that criminal entities operate with two goals in mind: enhance capability or monetize information.
The maturation of tradecraft we are seeing today follows the logical arc of the past decade. These include one‑click links, zero‑click exploit chains, network injection in some cases, and persistent device access. Predator is not a commodity tool. Predator is one of several device‑level compromises that become enterprise‑level exposures. It is a commercial espionage platform sold to governments or their proxies, and once deployed, it creates upstream surveillance capabilities that intersect directly with enterprise data flows, authentication systems, and service‑provider networks.
This is why it matters. These tools don’t just compromise individuals. They compromise the systems those individuals authenticate into, the networks they traverse, and the service providers that carry their traffic. They operate in the same shared dependencies enterprises rely on. The enterprise becomes part of the collection surface whether it wants to or not.
State‑aligned exploitation
In February 2026, Singapore disclosed that UNC3886, a sophisticated cyber‑espionage group, had penetrated the networks of all four major telcos servicing Singapore: Singtel, StarHub, M1, and Simba. The threat actors used zero‑days, rootkits, and advanced persistence techniques to gain long‑term access to backbone infrastructure and technical/network data.
Think about that for a moment: all four telcos with their infrastructure compromised. These companies serve as part of the country’s national infrastructure, supporting government, enterprise, and individuals alike. When a telco becomes a real‑time signals‑intelligence collection point, the adversary doesn’t need to break into your environment directly. They can collect from the pathways your environment depends on.
Singapore named the group but not the sponsor. Most external analysis immediately called UNC3886 China‑nexus. Palo Alto Networks Unit 42’s parallel “Shadow Campaigns” report on TGR‑STA‑1030 (UNC6619) used similar cautious language: a “state‑aligned group that operates out of Asia.”
The point is not attribution. The point is that the access was upstream, persistent, and structurally embedded. Regardless of point of origin, the CISO’s focus remains the same: Keep these actors from taking up residence in the infrastructure your organization and your clients depend on. The data‑protection problem is now structural. The collection is permanent. The access is embedded.
What does this mean for CISOs
The operational implications are not theoretical. They are immediate and measurable.
- Reevaluate exposure through the lens of shared dependencies, not just internal assets. Your environment is only one part of the attack surface. The dependencies you ride on are also collection points.
- Strengthen visibility across telecom, cloud, MSP/MSSP, and identity pathways. If you cannot see upstream, you cannot defend downstream.
- Treat upstream and downstream partners as active components of your threat surface. The adversary already does. Your governance model should reflect the same reality.
- Demand attestation from telecom and cloud providers. If your upstream providers cannot demonstrate integrity, you inherit their exposure.
- Reduce implicit trust in upstream pathways. Assume compromise in the infrastructure you do not control.
- Harden the session layer. Device‑level compromise and upstream compromise both lead to the same outcome: the adversary can impersonate your users and collapse your identity layer. Assume token theft, assume impersonation, and design authentication flows that degrade safely under compromise. In other words, design so that if the adversary gets in, they can’t go far.
- Shift detection toward low‑noise, long‑term access patterns typical of intelligence‑driven operations. These actors are not loud. They are patient, persistent, and structurally embedded.
- Recognize the insurance implications. The Singapore telco breaches are the tipping point. Cyber insurers are now explicitly factoring in the risk of permanent APT residency in backbone infrastructure. Expect materially higher premiums, broader exclusions, and the genuine possibility that organizations riding unvetted telco or cloud providers could become uninsurable at renewal.
- Integrate intelligence‑driven risk assessments into routine governance and architectural decisions. This is no longer a “nice to have.” It is a requirement for operating in an environment where upstream compromise is the norm, not the exception.
Strategic reality
Commercial (criminal) and state‑linked actors are moving through the same dependencies modern organizations rely on, and that overlap is now a defining feature of the operating environment.
These campaigns are not anomalies. CISOs should see these as a fortuitous heads-ups. The question for CISOs is no longer whether adversaries will target their environment directly. The question is whether the infrastructure they depend on has already been turned into an intelligence platform for someone else and whether they would even know if it had.