A hacking attack targeting SK Telecom has been investigated and found to have started at least three years ago. The scale of the leaked subscriber identification device information identified so far amounts to 27 million cases. A total of 25 types of malware were used in the attack (24 types from the BPFDoor family and 1 type of web shell), and a total of 23 infected servers were counted. This figure represents an increase of 21 types and 18 servers compared to the first report released by the government.
The Ministry of Science and ICT announced the second results from the joint investigation team into the SK Telecom intrusion on the 19th. Following the announcement of the first investigation results on the 29th of last month, additional confirmed circumstances of intrusion were revealed. It was reported that the scale of leaked USIM information announced in the first investigation results was 9.82 gigabytes (GB), equivalent to 26,957,749 cases based on the subscriber identification key (IMSI).
The investigation team also confirmed that the initial malware was installed on June 15, 2022. The possibility of data leaks from that time until December 2 of last year, when log records were not retained, has not yet been confirmed. However, it was said that there was no data leakage during the period when firewall log records were available, from December 3 of last year to April 24 of this year. The investigation team noted, 'On the 11th, after confirming the servers where personal information is stored, we demanded that the service provider verify the possibility of data leaks and take measures to prevent damage to the public caused by this, even before a detailed analysis was completed.'
The investigation team publicly released four types of malware used in this SK Telecom intrusion on the 25th of last month and later added eight more types on the 3rd of this month. In addition, it was revealed that 12 types from the BPFDoor family and 1 type of web shell were additionally discovered. The investigation team has provided methods for creating tools capable of detecting not only the characteristics of the malware discovered but also all known BPFDoor variants at home and abroad to 6,110 government agencies, public institutions, and corporations. The investigation team stated, 'The 25 types of malware discovered to date have been dealt with.'
The investigation team also confirmed that a total of 23 servers are currently infected. This means that an additional 18 servers with circumstantial evidence of attacks have been identified since the first announcement. For 15 of these servers, forensic analysis and detailed analysis have been completed, while analysis of the remaining eight servers is underway. At the same time, a fifth inspection is being conducted to detect and remove other malware.
The investigation team previously focused on examining the malware status of 38 servers where the unique device identifier (IMEI) was stored, confirming that 'there was no leakage of IMEI information.' However, in this announcement, it was stated, 'During the detailed forensic analysis of servers infected with malware, it was confirmed that files temporarily stored in linked servers for a certain period included IMEI information and various personal data (names, birth dates, phone numbers, emails, etc.).' The volume of stored files identified by the investigation team shows that there are a total of 291,831 cases of IMEI information.
The investigation team plans to conduct a thorough inspection of the entire SK Telecom server system by June. After conducting a focused inspection of Linux servers to confirm the initial discovery of BPFDoor infections, they are expanding the scope of inspections to all servers, including Linux, to check for other malware infections. This second inspection result contains information identified through four inspections.
To date, the investigation team has conducted four inspections of about 30,000 SK Telecom Linux servers. The intensive inspections over four rounds are being carried out to confirm the possibility of attacks on other servers, considering the characteristics (stealth, potential for deep penetration) of BPFDoor malware identified in the first inspection. The fourth inspection is being conducted using a tool that can detect all 202 known BPFDoor malware variants at home and abroad.
Inspections 1 to 3 were conducted by SK Telecom’s self-assessment, followed by verification by the investigation team. The fourth inspection was conducted directly by the investigation team with the support of personnel from the Korea Internet & Security Agency (KISA).
Regarding personal information, the investigation team reported that matters requiring detailed investigation by the Personal Information Protection Commission were involved and notified the commission of the inclusion of personal information. They also shared the server data secured by the investigation team with the Personal Information Protection Commission on the 16th with the consent of the service provider.
The investigation team stated, 'In the future, if circumstances arise during the investigation of intrusion incidents that could cause damage to the public, we will transparently disclose this and require service providers to respond quickly, while devising countermeasures at the government level.'