Full Report
South Korea's largest mobile operator, SK Telecom, is warning that a malware infection allowed threat actors to access sensitive USIM-related information for customers. [...]
Analysis Summary
# Incident Report: SK Telecom USIM Data Exposure via Malware
## Executive Summary
SK Telecom, South Korea's largest mobile operator, announced a security incident resulting from a malware infection on their systems, which led to the exposure of customer USIM-related data. The incident occurred over a weekend, prompting immediate deletion of the malware and isolation of affected equipment by the company, though the full scope of the compromise remains under investigation by authorities.
## Incident Details
- Discovery Date: April 19, 2025 (11 PM local time, Saturday)
- Incident Date: April 19, 2025 (Attack likely occurred around this time)
- Affected Organization: SK Telecom (South Korea's largest mobile network operator)
- Sector: Telecommunications
- Geography: South Korea
## Timeline of Events
### Initial Access
- Date/Time: Saturday, April 19, 2025, around 11 PM local time.
- Vector: Malware infection.
- Details: Threat actors deployed malware onto SK Telecom's systems over a weekend when staffing levels were reduced.
### Lateral Movement
- Details: Not explicitly detailed, but malware presence allowed access to sensitive USIM-related information.
### Data Exfiltration/Impact
- Details: Sensitive USIM data was accessed by threat actors. This data can include IMSI, MSISDN, authentication keys, network usage data, and possibly stored SMS or contacts.
### Detection & Response
- **Detection:** Malware detected by SK Telecom systems at 11 PM, April 19, 2025.
- **Response Actions:** The malware was immediately deleted, and the compromised equipment was isolated. The incident was reported to the Korea Internet & Security Agency (KISA) the following day, April 20, 2025, and the Personal Information Protection Commission was notified shortly after.
## Attack Methodology
- Initial Access: Malware infection.
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Implied by the successful initial malware deployment, leveraging a weekend timeframe.
- Credential Access: Not detailed, but necessary to access USIM data systems.
- Discovery: Not detailed.
- Lateral Movement: Implied by the access to USIM data across systems.
- Collection: Gathering of USIM-related customer information.
- Exfiltration: Access to and potential exfiltration of USIM data.
- Impact: Exposure of sensitive subscriber identity and communication data.
## Impact Assessment
- Financial: Not disclosed (costs associated with remediation ongoing).
- Data Breach: Sensitive USIM data exposure, including IMSI, MSISDN, authentication keys, and network usage data for an unknown number of the 34 million subscribers.
- Operational: Unspecified operational impact, though response included isolating equipment.
- Reputational: Public disclosure required via security notice and regulatory notification.
## Indicators of Compromise
- **Network indicators:** *[Specific IOCs not released in the summary.]*
- **File indicators:** Malware signature/hash *[Not detailed in the summary.]*
- **Behavioral indicators:** Abnormal activity leading to USIM database access.
## Response Actions
- **Containment measures:** Immediate deletion of the malware and isolation of the suspected hacked equipment.
- **Eradication steps:** Completed deletion of the detected malware.
- **Recovery actions:** Strengthening blocks on USIM swaps and abnormal authentication attempts; immediate service suspension for accounts linked to suspicious activity.
## Lessons Learned
- The reliance on weekend, understaffed periods for cyberattacks remains a viable vector for threat actors.
- Critical customer identity data (USIM information) was accessible via a malware infection on internal systems.
- The importance of robust, real-time monitoring, even during off-peak hours.
## Recommendations
- Implement enhanced threat hunting and monitoring protocols around authentication systems and subscriber database infrastructure, particularly during weekends or holiday periods.
- Mandate subscriber enrollment in USIM protection services or automatically enforce stronger authentication measures to mitigate the risk of SIM-swap attacks resulting from this data exposure.
- Review and harden internal patch management and endpoint security solutions to prevent successful malware execution.