SK Telecom stated that even though the server malware infection from hacking attacks began about three years ago, there was no 'information leakage.' It explained that despite not being aware of the hacking attacks themselves during this period, its review of internal records found no evidence of information leakage. There is no additional information theft beyond the external leakage confirmed of 9.82 gigabytes (GB) of subscriber information, specifically 26,957,749 cases based on the subscriber identification key (IMSI).
On the 19th, SK Telecom held a daily briefing related to the hacking incident at the Samhwa Tower in Jung-gu, Seoul, stating, 'If illegal duplication of USIM (subscriber identification module) and devices occurs, we will take 100% responsibility.'
Earlier that morning, the public-private joint investigation team that is investigating the SK Telecom hacking incident held a briefing at the Government Seoul Building and announced the second results. A total of 25 types of malware were used in the attacks (24 types from the BPFDoor family and 1 type of web shell), and the total number of infected servers was recorded as 23. This is an increase of 21 types and 18 servers compared to the initial results announced previously by the joint investigation team. Additionally, it was confirmed that the infected servers contained subscriber personal information, including device unique identification numbers (IMEI), names, dates of birth, phone numbers, and emails.
The 291,831 cases of IMEI information stored on the infected servers were confirmed not to have been leaked from December 3 of last year to April 24 of this year. However, there are no log records from June 15, 2022, when the malware was first installed, to December 2 of last year, making it difficult to verify whether any leakage occurred.
In this context, Ryu Jeong-hwan, head of the network infrastructure center at SK Telecom, said, 'There was no leakage.' He noted, 'We are maintaining three systems: integrated security monitoring, network detection and response (NDR), and firewalls between servers, and after reviewing all available past records, we found no evidence of any leakage.'
Ryu also stated, 'The damage cases were confirmed with investigative agencies since June 2022 regarding illegal USIM and device duplication incidents related to SK Telecom, but it was confirmed that there were no relevant issues,' adding that 'we reviewed all records that could be examined, including illegal duplication customer reports received by SK Telecom.' Even during the period when it was difficult to confirm information leakage due to the lack of log records after the malware was installed, he expressed confidence that 'there was no information leakage.' He further stated, 'If damage occurs due to this incident, SK Telecom will take responsibility.'
Regarding the 291,831 cases of IMEI information stored on the infected servers, he said, 'It has not been leaked, and even if it were leaked, the abnormal authentication blocking system (FDS) and smartphone duplication are being prevented.' The company is operating the FDS at the highest level. The FDS is technology that detects and blocks various abnormal authentication attempts, including illegally duplicated USIM authentication, in real-time over the communication network.
Ryu Je-myeong, head of the network policy department at the Ministry of Science and ICT, also stated that 'it has been confirmed from manufacturers that it is impossible to duplicate smartphones with just a 15-digit IMEI value,' adding that 'SK Telecom has completed its security enhancement work, so even if a USIM duplication environment is created, SIM swapping is considered physically impossible.' SIM swapping refers to the crime of combining leaked USIM information to duplicate a USIM and inserting it into another mobile phone to conduct illegal activities.