SK Telecom, South Korea’s largest telecommunications provider, disclosed in April 2025 that a malware breach had persisted undetected for nearly three years, compromising the USIM data of 27 million subscribers. Forensic investigations revealed that attackers maintained persistent access through 23 infected servers hosting 25 malware variants, including BPFDoor backdoors and web shells1. The incident marks the country’s most significant telecom breach since the 2011 Nate/Cyworld hack.
Breach Timeline and Technical Scope
The compromise began on June 15, 2022, with malware remaining active until its discovery on April 19, 2025. Attackers exfiltrated 9.82 GB of data containing 26.7–27 million IMSI records and 291,831 IMEI numbers2. Forensic analysis confirmed data leaks occurred between June 2022 and December 2024, though firewall log gaps prevent full attribution. The malware infrastructure included:
| Component | Details |
|---|---|
| Infected Servers | 23 systems (initial reports indicated 5) |
| Malware Variants | 24 BPFDoor-type backdoors, 1 custom web shell |
| Data Exfiltrated | IMSI records (27M), IMEI numbers (291k) |
South Korea’s Ministry of Science and ICT noted the attackers employed multi-stage tooling: web shells for initial access and BPFDoor for long-term persistence3. The malware exhibited advanced evasion capabilities, including:
- Process injection to blend with legitimate SK Telecom services
- Encrypted C2 communications mimicking normal traffic
- Modular payloads that avoided signature detection
Forensic Challenges and Logging Gaps
Investigators faced significant hurdles due to missing firewall logs between June 2022 and December 2024. The only confirmed leak-free period was December 2, 2024, to April 24, 20254. This logging gap prevented definitive attribution of earlier exfiltration events. SK Telecom’s incident response team identified the compromise through anomalous outbound traffic patterns from internal monitoring systems.
BPFDoor’s persistence mechanisms included:
# Example BPFDoor persistence technique (reconstructed from analysis)
[Unit]
Description=LegitimateSKService
After=network.target
[Service]
Type=simple
ExecStart=/usr/bin/bpfdoor --config /etc/sk_conf.json
Restart=always
[Install]
WantedBy=multi-user.targetRegulatory and Operational Impact
The South Korean government imposed immediate restrictions on SK Telecom, including a temporary ban on new subscriber sign-ups and mandated enhancements to fraud detection systems1. The company initiated free SIM replacements for affected customers and implemented:
“Real-time IMSI/IMEI binding verification and hardware security module upgrades for authentication systems,” according to Chairman Chey Tae-won’s public statement.
Comparative analysis shows this breach surpasses 80% of telecom incidents in dwell time, with only the 2011 Nate/Cyworld hack (35M records) exceeding its scale in South Korea2.
Security Recommendations
For organizations handling similar subscriber data, the following measures are advised:
- Implement immutable logging with cryptographic hashing for critical infrastructure
- Deploy network segmentation between USIM provisioning systems and general corporate networks
- Conduct regular purple team exercises targeting legacy backdoor techniques
- Monitor for BPFDoor indicators: UDP port 443 traffic and specific TLS cipher suites
The breach underscores the need for enhanced monitoring of telecommunications infrastructure, particularly given the potential for IMEI cloning and subsequent device impersonation attacks.
References
- “SK Telecom faces regulatory action after massive data breach,” The Korea Herald, May 19, 2025.
- “SK Telecom breach exposes 27M mobile subscribers’ data,” BleepingComputer, May 20, 2025.
- “Forensic analysis of SK Telecom’s 3-year breach,” Daily Security Review, May 19, 2025.
- “Industry impact of South Korea’s telecom breach,” Tech in Asia, May 18, 2025.
