Full Report
SK Telecom says that a recently disclosed cybersecurity incident in April, first occurred all the way back in 2022, ultimately exposing the USIM data of 27 million subscribers. [...]
Analysis Summary
# Incident Report: SK Telecom Malware Breach (3-Year Intrusion)
## Executive Summary
SK Telecom suffered a highly persistent malware infection that went undetected for nearly three years, beginning in June 2022. The incident ultimately impacted the data associated with approximately 27 million customer phone numbers across 23 compromised servers hosting 25 distinct malware types. Response actions included blocking malicious activity and offering customer support like SIM replacements, but significant uncertainty remains regarding data exfiltration that occurred before detailed logging was introduced in late 2024.
## Incident Details
- Discovery Date: Not explicitly stated, but detailed logging began December 3, 2024, suggesting the extent became clear around or just prior to this date.
- Incident Date: Initial infection occurred around June 15, 2022.
- Affected Organization: SK Telecom
- Sector: Telecommunications
- Geography: South Korea (Implied by organization name and regulatory body reference)
## Timeline of Events
### Initial Access
- Date/Time: June 15, 2022 (approximate)
- Vector: Initial web shell infection reported by the investigation team.
- Details: Attackers established a beachhead via a web shell on one or more Linux servers.
### Lateral Movement
- Details: Attackers maintained presence across the environment, introducing multiple payloads across 23 distinct servers over the three-year period.
### Data Exfiltration/Impact
- Details: The government committee found 25 data types compromised. An investigation team noted that 15 infected servers contained personal customer information, including 291,831 IMEI numbers (though SK Telecom explicitly denied this aspect in their statement). The scope ultimately affected nearly 27 million customer numbers.
### Detection & Response
- Date/Time: Logging activity on impacted servers began December 3, 2024.
- Details: The true extent of the compromise became known following this logging implementation. Response actions included blocking illegal activity (USIM/device changes) and providing SIM card replacements to affected subscribers.
## Attack Methodology
- Initial Access: Web shell infection.
- Persistence: Maintained access over nearly three years by introducing various malware types (25 distinct types identified).
- Privilege Escalation: Not detailed.
- Defense Evasion: Extensive period of stealth (>3 years) indicates successful evasion of detection mechanisms for a long duration.
- Credential Access: Not detailed.
- Discovery: Not detailed, but necessary to utilize key customer data (like IMEI numbers).
- Lateral Movement: Across 23 compromised Linux servers.
- Collection: Gathered 25 data types, potentially including customer PII/IMEI numbers.
- Exfiltration: Not explicitly confirmed by SK Telecom, but potential exfiltration occurred between June 2022 and December 2024, as logging was absent.
- Impact: Massive customer data exposure affecting ~27 million mobile numbers.
## Impact Assessment
- Financial: Not publicly disclosed, but significant costs associated with remediation, customer notification, and potential liability. SK Telecom committed to 100% responsibility for damages.
- Data Breach: Data related to 26.95 million customers impacted. Potentially included sensitive personal information, including 291,831 IMEI numbers if the investigation team's findings hold true.
- Operational: SK Telecom announced it would stop accepting new subscribers temporarily while managing the fallout.
- Reputational: Significant negative impact due to the multi-year duration of the undetectable breach.
## Indicators of Compromise
*Note: Specific IoCs were not provided in the text, only generalized descriptions.*
- Network indicators: Unknown (No IPs/URLs provided).
- File indicators: 25 distinct types of malware payloads found across 23 servers.
- Behavioral indicators: Persistent C2 communication/data staging over three years; modification of core server environments; unauthorized introduction of web shells.
## Response Actions
- Containment: Technically ensuring that illegal USIM and device changes are completely blocked.
- Eradication: Not explicitly detailed, but implied as part of remediation following discovery and logging implementation.
- Recovery: Providing affected subscribers with SIM card replacements and automatically activating elevated security measures on accounts.
## Lessons Learned
- Threat Detection Duration: The most critical failure was the sophisticated evasion that allowed malware to remain undetected for nearly three years.
- Visibility Gap: The absence of comprehensive logging on critical Linux servers (until December 2024) created a massive blind spot, making it impossible to track initial access or data exfiltration windows.
- Scope Undermining Initial Estimates: The eventual finding of 25 malware types and 23 compromised servers showed the initial scope assessment was significantly underestimated.
## Recommendations
- Immediately implement comprehensive, centralized logging (including audit trails) across all production Linux servers, ensuring logs are immutable and retained for purposes exceeding the suspected intrusion window.
- Conduct a thorough, deep-dive forensic examination covering the entire period since the initial 2022 infection to establish an accurate exfiltration log, even retrospectively.
- Review and aggressively harden edge devices (like web servers) known to be primary entry points for web shell attacks.
- Verify the integrity of customer data (specifically IMEI numbers) on all compromised and potentially compromised servers immediately.