SK Telecom has been hacked, and according to government investigation results, four types of information related to SIM card (Subscriber Identity Module) cloning, including phone numbers, have been leaked. Additionally, 21 types of management information necessary for processing SIM data have also leaked. However, it has been confirmed that there is no leak of the device's unique identification number (IMEI).
The Ministry of Science and ICT announced the first investigation results of the 'SK Telecom intrusion incident' on the 29th. This is the initial information revealed by a public-private joint investigation team that has been examining the hacking of SK Telecom's SIM information for a week. While the method of attack and types of leaked information were disclosed, the exact scale of damage and timing of the hacking were not specified. In relation to this, a Ministry of Science and ICT official noted, "This was announced initially to prevent further social chaos," adding, "Detailed information will be disclosed after further investigation."
The investigation team examined five servers of three types that are suspected to have been attacked at SK Telecom. So far, it has been investigated that four types of information that could be used for SIM cloning, including subscriber phone numbers and subscriber identification keys (IMSI), have been leaked. Additionally, 21 types of management information necessary for processing SIM information have also been revealed to be compromised. The investigation team is expanding the scope of their examination to include servers containing important information.
Four types of malicious codes from the BPFDoor family were used as the hacking method. BPF is a feature built into Linux operating systems that performs network monitoring and filtering. It has been investigated that a backdoor attack method exploiting this was used in the hacking of SK Telecom’s SIM. To prevent the spread of damage, the investigation team shared related information with private companies and institutions on the 25th.
The BPFDoor method is known to be an attack method primarily used by a Chinese hacker group. It was first reported in a 2021 threat report by PwC. According to a report by security specialist Trend Micro, an Advanced Persistent Threat (APT) group carried out BPFDoor malware attacks on Korean telecommunications companies in July and December of last year. However, it has not been confirmed whether the target company was SK Telecom.
The investigation team confirmed that "there has been no leak of the device's unique identification number (IMEI)" and stated, "Currently, if customers subscribe to SK Telecom's SIM protection service, they can prevent illegal activities such as 'SIM swapping' that would involve cloning the SIM with leaked information and using it in another mobile phone." The Ministry of Science and ICT has urged SK Telecom to introduce a reservation system to allow customers to subscribe to the SIM protection service and to expand channels.
SK Telecom recognized the hacking signs on the 18th and reported the related facts to the Korea Internet & Security Agency (KISA) about 45 hours later, on the 20th at 4:46 p.m. On the 23rd, the Ministry of Science and ICT formed a public-private joint investigation team consisting of about 10 security industry experts to identify the causes of the incident and the scale of damage.