Full Report
SK Telecom reveals malware intrusion that remained hidden for nearly two years, led to the leaking of 26.69…
Analysis Summary
# Incident Report: SK Telecom Two-Year Malware Infection and IMSI Data Leak
## Executive Summary
SK Telecom experienced a sophisticated, multi-year malware infiltration leading to the confirmed exfiltration of 26 million International Mobile Subscriber Identity (IMSI) records. The attack spanned approximately two years before being uncovered by the organization internally. The long duration of the breach suggests advanced persistence mechanisms were employed, resulting in a major privacy and data exposure incident affecting a significant portion of their user base.
## Incident Details
- **Discovery Date:** Undisclosed, but the attack was active for two years prior to discovery.
- **Incident Date:** Attack activity spanned approximately two years prior to May 2025 (Publication Date).
- **Affected Organization:** SK Telecom
- **Sector:** Telecommunications
- **Geography:** South Korea (Implied)
## Timeline of Events
### Initial Access
- **Date/Time:** Approximately 2 years prior to May 2025.
- **Vector:** Malware infection (specific initial vector not detailed in the summary).
- **Details:** Threat actors maintained access for an extended period, indicating a stealthy, long-term compromise.
### Lateral Movement
- Details regarding specific lateral movement techniques are **not mentioned** in the source material.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Approximately 26 million IMSI records were successfully exfiltrated over the two-year period.
### Detection & Response
- **How it was discovered:** SK Telecom uncovered the two-year malware attack internally.
- **Response actions taken:** Response details are **not specified** in the source material, beyond the discovery being made.
## Attack Methodology
- **Initial Access:** Malware deployment (Specific method unknown).
- **Persistence:** Implied highly effective persistence mechanisms given the two-year duration.
- **Privilege Escalation:** Unknown.
- **Defense Evasion:** Implied successful evasion techniques allowed the malware to remain undetected for two years.
- **Credential Access:** Unknown.
- **Discovery:** Unknown.
- **Lateral Movement:** Unknown.
- **Collection:** Targeted collection of subscriber data, specifically IMSI records.
- **Exfiltration:** Successful exfiltration of 26 million IMSI records.
- **Impact:** Significant mass data leak impacting user privacy identifiers.
## Impact Assessment
- **Financial:** Unknown (Potential regulatory fines and remediation costs presumed).
- **Data Breach:** 26 million IMSI records (International Mobile Subscriber Identity). IMSIs are unique identifiers tied to mobile subscribers, crucial for network authentication.
- **Operational:** Unknown (Operational stability during the two-year window is presumed stable, but post-discovery impact is unknown).
- **Reputational:** Significant due to the high volume of PII-related data exposed over a long period.
## Indicators of Compromise
- Due to source constraints, specific IoCs cannot be provided, but persistence and data exfiltration malware indicators would be the focus.
- **Network indicators:** Unknown.
- **File indicators:** Malware signatures related to the two-year infection campaign.
- **Behavioral indicators:** Anomalous data egress patterns sustained over 24 months.
## Response Actions
- **Containment measures:** Unknown, but focused on removing the persistent malware.
- **Eradication steps:** Unknown, but required identifying and neutralizing all instances of the persistent malware.
- **Recovery actions:** Unknown, likely involved user notification and potential system auditing.
## Lessons Learned
- The primary lesson learned is the failure of existing security monitoring tools or processes to detect a sophisticated, sustained threat actor operation over a two-year period.
- The ability of malware to maintain a long-term, undetected presence within a major telecommunications environment.
## Recommendations
- Implement enhanced endpoint detection and response (EDR) solutions capable of detecting long-term, low-and-slow malware activity.
- Increase frequency and scope of network traffic anomaly detection analysis, specifically looking for persistent, periodic data egress.
- Conduct mandatory, regular, deep-dive security audits specifically targeting persistence mechanisms and living-off-the-land techniques.