Investigation Reveals Nearly 27 Million Records Stolen, 28 Servers Breached in SK Telecom Attack

For about three years, a threat actor was quietly deploying malware across the servers of South Korea’s largest mobile carrier without being detected. As the breach has come into focus with a public disclosure from SK Telecom and a follow-up investigation by the national Ministry of Science and ICT, we have learned that some 28 Linux servers were compromised during this extended campaign with about 26.96 million subscriber identity records stolen.

The investigation has identified weak credentials, including passwords stored in plaintext and administrative logins not rotated for years, and failure to encrypt critical data as the root causes of the breach. While there have been no confirmed cases of abuse, the information that was stolen put nearly the entirety of the telecom’s customer base at risk of SIM swap and cloning attacks.

Breach involved most SK Telecom customers, and about half the national population

Given that the company has an estimated 31 to 32 million customers, the breach ultimately threatened the vast majority of SK Telecom’s user base. While the company was criticized and took regulatory heat for not disclosing the incident within the required 72-hour window, it was also able to supply impacted users with free SIM card changes and subscription to a specialized SIM protection service as an apparently effective remediation method.

Though the damage was almost miraculously low considering the severity and extended breach window, the incident was one of the largest in national history by compromised user record count and was a serious threat to critical infrastructure. The attackers deployed malware on the compromised Linux servers that gathered 25 types of user data including their phone numbers connected with subscriber identification numbers (IMSI), and SIM authentication keys.

Serious security failings led to record-setting breach

The government’s follow-up investigation found that cybersecurity negligence by SK Telecom was the central problem. These problems range from weak credentials, to poor protection of secrets, to failure to apply patches to critical vulnerabilities in a timely manner.

Poor authentication management policies appear to have been at the root of the initial breach, which is thought to have taken place in June 2022 when the attackers were able to install a web shell and sophisticated Berkeley Packet Filter backdoor (BPFdoor) malware to create a persistent entry point. But once inside, the attackers reportedly had no problems expanding their access. They would come across some thousands of server credentials stored in plaintext in areas not protected with additional authentication, providing access to a total of 2,365 servers.

The company was also taken to task for seemingly noticing that there was a potential breach not long after the initial landfall in 2022, but failing to actually address the issue in a meaningful way. It was dinged by regulators for ignoring intrusion detection logs and failing to apply patches to critical vulnerabilities, the most damning of which was a 2016 flaw that had long been exploited in the wild prior to this attack.