Eight types of malicious code recently discovered in the SK Telecom hacking incident were found on three home subscriber servers (HSS) where the initially detected malicious codes existed.
On the 7th, according to Rep. Choi Su-jin of the People Power Party, who investigated the incident through a public-private joint investigation team, the team confirmed that eight types of attack malware of SK Telecom recently made public originated from three HSS servers.
These servers are part of a total of 14 servers that distributed SK Telecom subscriber information, and four types of initially discovered malicious codes were also found on these servers.
The investigation team is conducting a forensic analysis of the timing and circumstances of the malware's infiltration, and it noted that the exact timing of the code creation is currently under verification. The timing of the code creation is a crucial clue for tracking the hacker's activities, which may reveal the actions of the hackers who infiltrated the SK Telecom internal network.
Whether the three HSS servers with additional malicious codes are interconnected or are separated by their own closed networks is also considered an important factor. If the servers were interconnected through the internal network, there is a possibility that lateral movement could have occurred, allowing the malicious code to spread to other servers.
SK Telecom stated that the hacked servers were operated as closed networks, and there are also speculations that the hacking occurred through VPN vulnerabilities. SK Telecom explained that it used the foreign product Ivanti and the domestic equipment Siquwiz as VPN devices for the affected servers.