Regarding the hacking incident targeting SK Telecom's subscriber authentication server, there are claims that a hacker organization presumed to be of Chinese origin may be behind it. The malware used in the attack, "BPFDoor," is a Linux-based backdoor specialized in evasion tactics, and both domestic and international security communities report that this malware may have been employed in a precision cyber operation aimed at South Korea's communication infrastructure.
According to the security industry on the 2nd, the public-private joint investigation team that investigated the SK Telecom hacking stated that four types of malware from the "BPFDoor" family were confirmed to have compromised the subscriber authentication server (HSS). This malware is designed to remain hidden within the system and only activates upon receiving a specific signal (commonly referred to as a "magic packet") from the outside, making it difficult to detect using conventional hash-based detection techniques or pattern matching.
In a recent report, global security company Trend Micro mentioned the possibility that Chinese national APT (Advanced Persistent Threat) groups "Red Menshen" and "Earth Bluecrow" launched attacks targeting Korea's communication networks using BPFDoor between July and December last year. Trend Micro analyzed that these organizations are hacking groups supported by state-level resources and that BPFDoor is a backdoor malware designed for cyber espionage activities.
According to the report, BPFDoor was first revealed in 2021 and is capable of hijacking system control authority by anomalously manipulating packets on the network. Trend Micro is currently analyzing a proprietary control file used by the Earth Bluecrow organization, which reportedly has a different form from the existing publicly available BPFDoor.
Domestic security firm Genians also warned in a recent separate technical report that BPFDoor has been developed in open-source form, resulting in numerous variants, making it virtually impossible to detect with traditional antivirus or security systems. Genians explained that using manual commands to directly query network socket information or detecting anomalous behavior through Endpoint Detection and Response (EDR) solutions is a realistic countermeasure.