my timesThe Korea Times
  1. Business
  2. Tech & Science

SKT data breach rings alarm for national cybersecurity

Listen
By Nam Hyun-woo
  • Published KST
SK Telecom users queue up at one of the company's stores in Seoul, Tuesday, to replace their universal subscriber identity module chips. Yonhap

SK Telecom users queue up at one of the company's stores in Seoul, Tuesday, to replace their universal subscriber identity module chips. Yonhap

A major user data breach at SK Telecom is raising serious concerns about Korea’s national cybersecurity amid growing suspicions that the attack was an act of cyberespionage rather than one motivated by financial gain.

The Ministry of Science and ICT confirmed Monday that the types of malware used in the April 18 breach on user data of SK Telecom’s 25 million consumers included BPFDoor, a backdoor malware targeting Linux servers.

Global cybersecurity experts have been warning about BPFDoor since 2022, with PricewaterhouseCoopers noting in its 2022 report that “a China-based threat actor named Red Menshen” was using BPFDoor to target “telecom providers in the Middle East and Asia, as well as entities in the government, education and logistics sectors.”

Trend Micro, a U.S.-based security firm, said in its April 14 research that BPFDoor is “a state-sponsored backdoor designed for cyberespionage activities,” and Red Menshen’s BPFDoor attacks “zero in on the telecommunications, finance and retail sectors, with attacks observed in South Korea, Hong Kong, Myanmar, Malaysia and Egypt.”

Given that the attackers behind the SK Telecom breach have not made any ransom demands, experts assume that the incident should be examined from the perspective of a national security.

“The United States has been reporting a series of cases where key infrastructure has been exposed to cyberattacks, mostly coordinated by China’s state-backed hacker groups,” Lim Jong-in, distinguished professor at Korea University's School of Cybersecurity and special adviser on cybersecurity to the president, told The Korea Times.

“The hackers behind the breach do not appear to have been motivated by financial gain. Rather, I believe the attack may have been part of a broader strategy by China to cause confusion and impact Korea’s readiness, viewing Seoul as a potential adversary in times of crisis.”

gettyimagesbank

gettyimagesbank

On May 14, Reuters reported that U.S. energy officials were reassessing the risk posed by Chinese-made power inverters connecting solar panels to electricity grids, after “rogue communication devices” were found inside some of them.

The report noted that the devices provide communication channels bypassing firewalls, which could result in catastrophic consequences, such as widespread blackouts.

In March last year, the U.S. House Committee on Homeland Security and the Select Committee on the Chinese Communist Party jointly revealed that cranes at major U.S. ports are highly vulnerable to hacking, as 80 percent of the ship-to-shore cranes at U.S. ports are built by Shanghai Zhenhua Heavy Industries Company, a Chinese state-owned military contractor.

According to the investigation, some of the cranes supplied by the company were found to contain cellular modems that had been installed without the authorization of U.S. port authorities. These devices could potentially enable remote access, allowing attackers to bypass firewalls, disrupt port operations or collect sensitive information.

Citing those cases, Lim warned that Korea is likely to remain a prime target for Chinese hacking groups, given its status as a key U.S. ally and its strategic importance in China’s emerging industries.

“Given the recent investigation revealing that the malware was first installed at SK Telecom servers three years ago, it is highly unlikely that this incident was financially motivated,” Lim said.

“The government must identify the attackers’ motives and prepare an appropriate response. Considering the U.S.' extensive experience in dealing with such threats, close cyber defense cooperation with Washington is essential."

Apart from Lim, some experts argue that the SK Telecom attack is aimed at collecting communication metadata, such as call recipients, time, frequency and location, because it can reveal an individual’s behavior patterns.

Ryu Jung-hwan, head of the network infrastructure center at SK Telecom, ruled out the possibility of breaches involving call detail records during a press briefing on Tuesday.

However, he added, “We are also investigating the possibility that the attackers had motives beyond ransom.”