Latest news with #BPFdoor
Korea Herald
04-07-2025
- Business
- Korea Herald
SKT's negligence led to massive hacking, ministry confirms
The South Korean government concluded Friday that SK Telecom failed to take proper action to prevent its massive hacking attack, leaking about 10 gigabytes of sensitive subscriber data as early as August 2021. Authorities ordered the company to allow customers to cancel contracts without paying early termination penalties, a move that could potentially cost the telecom giant billions of won. The Ministry of Science and ICT announced the results of a joint public-private investigation, confirming that hackers first planted malware inside SKT's internal servers on Aug. 6, 2021 — about 10 months earlier than initially estimated. 'SKT failed to fulfill its security obligations to protect subscriber data to deliver secure telecommunication services,' Vice Minister Ryu Je-myung of the Science Ministry said. A forensic inspection of more than 42,600 servers uncovered 33 types of malware, including 27 BPFdoor variants. Hackers infiltrated a server connected to SKT's network management system, planting malicious code to gain access to the Home Subscriber Servers and exfiltrate 9.82 GB of USIM subscriber data — covering nearly all of SKT's customers — and amounting to 26.96 million subscriber identifier records. Investigators also discovered that device identifiers, personal data and call detail records had been stored in plaintext rather than encrypted. While no evidence of leaks was found during periods covered by existing firewall logs, the ministry warned that it could not confirm whether data was exposed during gaps in log records. Authorities also noted a supply chain vulnerability after discovering malicious code embedded in third-party software used by an SKT vendor. The code was installed on 88 SKT servers, but there was no evidence that it had been executed or led to data leaks. 'SKT detected abnormal server reboots in February 2022 and even discovered malware on one server during an internal check, but did not report the incident to authorities at the time. It violated the notification obligations,' Ryu said. Ryu also identified weaknesses in SKT's overall cybersecurity posture, including insufficient investment and staff, and a corporate CISO whose responsibilities were limited to IT systems rather than covering the carrier's core networks. The ministry ordered SKT to adopt multifactor authentication for server access, store firewall and system logs for at least six months, and elevate the CISO role to report directly to the CEO. They also called for the deployment of advanced endpoint detection and response solutions, regular quarterly security inspections of all assets and full encryption of the USIM authentication keys, which other mobile carriers KT and LG Uplus have already implemented. The ministry also obligated the company to allow subscribers with time left on their contracts to cancel without penalties. SKT has estimated that if up to 5 million customers decide to leave, combined losses from waived penalties and lost revenue could exceed 7 trillion won. "This SKT breach is a wake-up call for the entire telecommunications industry and our national network infrastructure. As Korea's top mobile carrier, SKT must prioritize cybersecurity," Science Minister Yoo Sang-im said.
Korea Herald
21-05-2025
- Korea Herald
Who hacked S. Korea's largest telecom, and why? Growing concerns the SKT data breach wasn't just about money
Some suspect a sophisticated Chinese hacking group may be behind the attack, raising potential alarms over cyber security Nearly three years before South Korea's largest telecom provider knew anything was wrong, hackers had already broken into SK Telecom's internal systems. This detail emerged from a briefing this Monday by the government's public-private joint investigation team, which is probing one of the country's most serious cybersecurity breaches in recent memory. The attackers first embedded malware on June 15, 2022, according to the investigation. That software remained hidden until last month, when over 9 gigabytes of sensitive SIM-related data tied to approximately 25 million subscribers, including customers of SKT's budget MVNO carriers, was suddenly exfiltrated. Among the leaked data were 21 types of subscriber-related information, including identification numbers and SIM authentication credentials. What hasn't been confirmed, however, is whether call records or other highly sensitive personal communications data were taken. SK Telecom has said its call detail records (CDRs) are encrypted, but encryption alone may not be enough, warns Professor Kim Seung-joo of Korea University's Graduate School of Information Security. 'Even encrypted data is vulnerable if the keys aren't securely managed,' he said in a separate media interview on Tuesday. 'The same thing happened to nine US telecoms last year.' CDRs are highly valuable in state-backed cyber operations. Unlike credit card data, they reveal patterns of communication and movement, making them ideal for tracking public officials and institutions, he explained. The malware discovered on SK Telecom's servers included BPFdoor, a backdoor tool also used by Salt Typhoon, the Chinese-linked group behind the attacks on AT&T, Verizon and T-Mobile. South Korean investigators have not confirmed the attribution, but suspicion is growing. Professor Lim Jong-in, a cyber defense expert at Korea University, told local radio on Wednesday morning that he suspects the Chinese hacking group Red Mansion may be behind the intrusion. They are known for APT-style cyberattacks -- operations that are typically slow-moving, well-funded and thus conducted by nation-state actors rather than ordinary cybercriminals. APT stands for Advanced Persistent Threat. 'Their yearslong persistence and stealth tell you this wasn't just about stealing data for profit,' said Professor Yum Heung-yeol, another cybersecurity scholar at Soonchunhyang University, according to a local media report on Wednesday. 'To compromise a core telecom operator without any spies or insider cooperation is not something amateur hackers can do.' So far, no customers have reported cloned phones, suspicious charges or extortion attempts. That silence and the long-term nature of the breach, the experts have all said, makes financial motives unlikely. 'We are looking into multiple possibilities, including whether the attack was to steal data or to establish long-term access to deeper systems,' said Ryu Jae-myeong, director-general of network policy at the ICT Ministry involved in the joint investigation team.
