Full Report
In April, South Korea’s telco giant SK Telecom (SKT) was hit by a cyberattack that led to the theft of personal data on approximately 23 million customers, equivalent to almost half of the country’s 52 million residents. At a National Assembly hearing in Seoul on Thursday, SKT chief executive Young-sang Ryu said about 250,000 users […]
Analysis Summary
# Incident Report: SK Telecom Massive Customer Data Exfiltration
## Executive Summary
South Korea's largest telecommunications provider, SK Telecom (SKT), suffered a severe cyberattack resulting in the theft of personal data belonging to approximately 23 million customers (nearly half of South Korea's population). The incident, which began around April 18, 2025, involved the compromise of the Home Subscriber Server (HSS) and the exfiltration of sensitive data, including USIM authentication keys. Response efforts included immediate system isolation, public disclosure, offering free SIM replacements, and initiating a joint investigation, though customer resignations have already begun.
## Incident Details
- Discovery Date: April 19, 2025 (Detection of breach); April 18, 2025 (Detection of abnormal activity)
- Incident Date: Attack likely began on or around April 18, 2025
- Affected Organization: SK Telecom (SKT)
- Sector: Telecommunications
- Geography: Seoul, South Korea
## Timeline of Events
### Initial Access
- **Date/Time:** April 18, 2025, 11:20 pm (Local Time)
- **Vector:** Suspected exploitation of Ivanti VPN equipment vulnerabilities (implied by subsequent media reports linking the breach to China-backed hackers targeting Ivanti systems).
- **Details:** SKT detected abnormal activities, including unusual logs and signs of file deletion on equipment monitoring and managing customer billing information (data usage, call durations).
### Lateral Movement
- **Details:** Attackers successfully accessed the Home Subscriber Server (HSS) in Seoul, which houses subscriber information, authentication, authorization, location, and mobility details. An additional eight types of malware were discovered later by investigators, suggesting sustained presence.
### Data Exfiltration/Impact
- **Details:** Exfiltration from the HSS included 25 different types of personal information, critically including: mobile phone numbers, unique identifiers (IMSI numbers), **USIM authentication keys**, and other USIM-related data. This places customers at higher risk of SIM swapping attacks.
### Detection & Response
- **How it was discovered:** Abnormal activities detected on April 18, leading to the identification of a data breach on April 19 within the HSS.
- **Response actions taken:**
- **April 19:** Isolated the affected device and began an internal investigation.
- **April 20:** Reported the incident to Korea's cybersecurity agency (KISA).
- **April 22:** Publicly confirmed "potential" data breach involving USIM-related data.
- **By May 7:** All eligible users (excluding roaming customers) were signed up for the newly developed SIM protection service, and a fraud detection system was implemented.
- **April 28 onwards:** Began process of replacing millions of SIM cards, facing initial shortages.
- **April 30:** South Korean police launched an official investigation into the attack.
## Attack Methodology
*Note: Specific TTPs are not fully detailed in the context, but inferred based on system access and data theft.*
- **Initial Access:** Likely exploitation of an Internet-facing vulnerability (suggested link to Ivanti VPN).
- **Persistence:** Presence of at least 12 distinct malware strains (initial 4 plus 8 later discovered).
- **Privilege Escalation:** Necessary to gain access to the Home Subscriber Server (HSS). (Techniques Unknown)
- **Defense Evasion:** Unknown, but successful in exfiltrating critical data.
- **Credential Access:** Not explicitly stated, but access to authentication keys implies compromise of authentication infrastructure.
- **Discovery:** Unknown.
- **Lateral Movement:** Gained access from monitoring equipment to the critical HSS database.
- **Collection:** Targeted HSS databases containing PII, authentication keys, and USIM data.
- **Exfiltration:** Specific methods of exfiltration unknown, but data was successfully removed from the HSS.
- **Impact:** Exposure of 23 million customer records, significantly increasing SIM swap risk.
## Impact Assessment
- **Financial:** SKT CEO estimates potential loss of up to **$5 billion (₩7 trillion)** over three years if the company waives contract cancellation fees for departing customers.
- **Data Breach:** $\sim$**23 million customers** affected. Data included mobile phone numbers, IMSI numbers, **USIM authentication keys**, and other USIM data.
- **Operational:** Initial disruption cited due to SIM card shortages preventing immediate replacements. Ongoing risk of customer attrition (250,000 users already switched).
- **Reputational:** Declared the "most severe security breach" in company history. Public apology issued by SK Group Chairman.
## Indicators of Compromise
*Note: Specific IOCs were not provided in defanged format, focusing on the nature of the compromise.*
- **Network indicators:** Communication with attacker infrastructure post-compromise (Undisclosed).
- **File indicators:** At least 12 distinct malware strains identified on the network components.
- **Behavioral indicators:** File deletion on monitoring/billing equipment (April 18); Unusual logs indicating unauthorized database access.
## Response Actions
- **Containment measures:** Immediate isolation of the affected device/server exhibiting data leakage on April 19. Implementation of a new SIM protection service and fraud detection system system-wide by May 7.
- **Eradication steps:** Replacement of USIM cards for all affected users. Investigation focusing on the 12 identified malware strains.
- **Recovery actions:** Working to fulfill the promise of free SIM card replacements. Processing customer contract cancellations/transfers.
## Lessons Learned
- The concentration of highly sensitive data (including authentication keys) in the Home Subscriber Server created a single, high-value target vulnerable to catastrophic failure.
- Reliance on third-party access infrastructure (such as the potentially exploited Ivanti VPN) remains a critical weakness exploited by sophisticated actors.
- Initial response speed regarding customer compensation (cancellation fee waivers) directly impacts customer retention and long-term financial damage.
## Recommendations
- Immediately decommission and replace any potentially affected network entry points, prioritizing the review and replacement of all Ivanti VPN installations globally, as advised by KISA.
- Conduct a comprehensive audit of the HSS architecture to ensure the principle of least privilege is strictly enforced and that authentication keys are segmented from other PII databases.
- Develop and stock contingency inventory for critical security hardware (e.g., USIM cards) to ensure rapid containment and remediation efforts can proceed without logistical bottlenecks.