SK Telecom appears to have been unaware of hacking attack attempts for about three years. The types of malware used in the attacks and the infected servers were counted at 25 types and 23 servers, respectively. However, the Ministry of Science and ICT noted that 'the level of risk has not increased.'
The public-private joint investigation team investigating the SK Telecom hacking incident held a briefing at the Government Seoul Complex on the 19th and announced the second results. The point at which hacking attacks targeting SK Telecom's servers began was identified as June 15, 2022. SK Telecom reported the breach to the Korea Internet & Security Agency (KISA) on April 22 this year. Choi Woo-hyuk, who heads the public-private joint investigation team and serves as the Director of Information Security and Network Policy at the Ministry of Science and ICT, said, 'SK Telecom became aware of the (servers being infected with malware) after the incident.'
The total number of types of malware used in the attacks was 25 (24 types from the BPFDoor family and 1 web shell), and the total number of infected servers was counted at 23. This figure represents an increase of 21 types and 18 servers from the first results previously announced by the public-private joint investigation team. Among these, forensic and detailed analysis has been completed for 15 servers, while detailed investigations for the remaining 8 servers are still ongoing.
Lee Dong-geun, head of the KISA Digital Threat Response Headquarters, said, 'The additionally discovered malware web shell was for the initial penetration purpose,' and added, 'At this point, there have been no confirmed leaks, and there are no signs that the risk of a security incident has suddenly increased due to the additional discoveries of types of malware and an increase in the number of servers.'
The confirmed scale of user identification module (USIM) information verified as externally leaked from SK Telecom's servers is 9.82 gigabytes (GB), which corresponds to 26,957,749 entries based on the subscriber identification key (IMSI). It was also confirmed that the servers confirmed as infected additionally contained subscriber personal information, such as device-specific identification numbers (IMEI), names, birth dates, phone numbers, and emails. This personal information was stored in plaintext without undergoing a separate encryption process.
The 291,831 entries of IMEI information stored on the infected servers have been confirmed to not have been leaked between December 3 of last year and April 24 of this year. However, there are no log records remaining from June 15, 2022, the point when the malware was first installed, to December 2 of last year, making it impossible to accurately verify whether a leak occurred.
The Deputy Minister explained that 'it is very difficult to make a judgment realistically without logs' and noted that 'we are conducting various reviews based on multiple scenarios.' The investigation team plans to investigate the potential for IMEI and personal information leaks during the log-less period through future detailed forensic work. There has been no indication that hackers deleted the log records. The fact that SK Telecom retained logs for only about four months and the failure to encrypt leaked personal information will be judged by the Personal Information Protection Commission in the future.
Concerns have been raised about 'SIM swapping,' where leaked information is combined to clone USIMs and illegally used in other mobile phones, immediately following the SK Telecom cybersecurity breach. The first investigation indicated that IMEI information had not been leaked, leading to a relatively low assessment of the possibility of security incidents related to 'cloned USIMs.' However, the current investigation results indicate that it cannot be conclusively stated that IMEI information was not leaked.
Ryu Je-myung, director of the Network Policy Office at the Ministry of Science and ICT, said they confirmed with manufacturers that 'cloning a smartphone is impossible with only a 15-digit IMEI value' and stated, 'We believe that even if the security enhancement work is completed by SK Telecom, creating an environment for SIM cloning is physically impossible.'
SK Telecom announced that it has upgraded its abnormal authentication blocking system (FDS) to the highest level for operation. This is regarded as a follow-up measure in response to the raised possibility of IMEI leaks.