As the world continues to suffer from hacking attacks originating from China, warnings are mounting that Korea, too, could become a victim. The BPF (Berkeley Packet Filter) door malware used in the SK Telecom hacking incident is found to be a method frequently used by Chinese hackers. There is a growing opinion within the industry that the Korean government should use this incident as an opportunity to scrutinize the entire domestic information security industry.
The BPF door malware refers to code that exploits the 'BPF,’ a network filtering function in the Linux kernel, to avoid detection by security devices. BPF functions to monitor intruders by allowing authenticated server administrators to access communication data. In simple terms, BPF door creates a backdoor. Hackers can extract desired information through this 'fake BPF' backdoor. Since the existence of this backdoor is not easy to detect, hackers may commit crimes over a long period without the breach being noticed.
◇ BPF door is a method frequently used by Chinese hackers… “Used in hacking for years”
According to the security industry on the 19th, the BPF door method was first disclosed in the 2021 PWC report. The report mentioned that Chinese hacker groups, such as 'Redmen,’ have been using the BPF door method for hacking over the years. It also explained that 'Redmen’ is known to have targeted various companies in the telecommunications, logistics, and education sectors in the Middle East and Asia.
Global security company Trend Micro also reported that 'Redmen’ has been using the BPF door for cyber espionage activities targeting the telecommunications, finance, and distribution industries in Asia and the Middle East, including Korea, Hong Kong, Myanmar, Malaysia, and Egypt.
According to The Wall Street Journal (WSJ), it is estimated that China's information collection and security workforce could reach up to 600,000. Some Chinese hackers are reported to receive government support.
WSJ revealed that Chinese cyber officials alluded to hacking of key civilian infrastructure such as U.S. ports and airport telecom companies during negotiations with the United States in China and Switzerland in December last year, suggesting it was a consequence of the U.S.'s military support to Taiwan.
◇ SK Telecom hacking also a Chinese act?... “Must keep all possibilities open”
The perpetrator of the current SK Telecom hacking incident has not been identified, but given the use of the BPF door method, it is possible that it is the work of a Chinese hacker group.
Telecommunication companies are good targets for hackers to extract large amounts of information. According to global security corporations Cybereason, hackers attack telecom companies to gather information through long-term precise tracking. Cybereason explained that 'Collecting specific individuals' communication metadata (call counterpart, timing, frequency, location information) allows understanding personal behavior patterns and social relationships.'
There have already been several attempts to attack Korean telecom companies. In a report last month, Trend Micro named China's Advanced Persistent Threat (APT) group Redmen as the hidden controller behind the BPF door. Trend Micro stated that domestic telecom companies were attacked using BPF door on two occasions, in July and December last year.
Yeom Heung-yeol, professor emeritus of information protection studies at Soonchunhyang University, said, “It is true that China is known to frequently use the BPF door.” However, it is premature to immediately identify the perpetrator since “many hacking activities are also seen in North Korea, Russia, or Romania.”
Park Chunsik, a professor at Ajou University's Department of Cyber Security, said, “Since the BPF door method is open-source, it is difficult to definitively label China as the hacker while investigation agencies and joint civilian-government investigation teams are still studying the incident.”
◇ Continuous attacks on U.S. allies… “Discussion on cyber sovereignty needed”
It is known that Chinese hackers undertake crimes to send political messages to hostile nations. Amid intensifying U.S.-China conflict, there is analysis that Korea, as a prominent ally of the U.S., has been targeted. The security industry expects attacks from China on U.S. allies like Korea, Japan, and Australia to continue.
The U.S. government is already utilizing national agencies such as the FBI and CISA (Cybersecurity and Infrastructure Security Agency) to formulate countermeasures. Laurel Lee, a member of the United States House Homeland Security Committee, introduced the 'Cyber Resilience Act Against State-Sponsored Threats,' stating it would help confront threats from China to America's critical infrastructure. In March of this year, U.S. federal authorities also launched a large-scale investigation into Chinese telecommunications equipment companies, including Huawei.
There is a growing opinion that the Korean government should scrutinize the overall information security industry in response to national-level cybercrime threats. A security industry official said, “It would be good if the SK Telecom incident serves as an opportunity to draw national attention to the information protection industry.”
Professor Park said, “Discussion on cyber sovereignty is necessary,” and noted, “The current security industry has low salary levels, causing capable students to avoid it. If sustained attacks at a national level are confirmed, it is important to grow the security industry.” Professor Yeom commented, “The government should consider its appropriate role so that corporations can maintain robust information security check systems independently.”