Article Details

SK Telecom says malware breach lasted 3 years, impacted 27 million numbers. SK Telecom says that a recently disclosed cybersecurity incident in April, first occurred all the way back in 2022, ultimately exposing the USIM data of 27 million subscribers. SK Telecom is the largest mobile network operator in South Korea, holding roughly half of the national market. On April 19, 2025, the company detected malware on its networks and responded by isolating the equipment suspected of being hacked. This breach allowed attackers to steal data that included IMSI, USIM authentication keys, network usage data, and SMS/contacts stored in the SIM. This exposure increased the risk of SIM-swapping attacks, so the company decided to issue SIM replacements for all subscribers while strengthening security measures to prevent unauthorized number porting actions. On May 8, 2025, a government committee investigating the incident declared that the malware infection compromised 25 data types. At the time, SK Telecom announced it would stop accepting new subscribers as it struggled to manage the fallout. An update SK Telecom published yesterday informs that they will soon notify 26.95 million customers that they are impacted by the malware infection, which exposed their sensitive data. The telecom firm mentions that it identified 25 distinct malware types in 23 compromised servers, so the extent of the breach is far more extensive than initially anticipated. Simultaneously, a joint public-private investigation team examining SK Telecom's 30,000 Linux servers says the initial web shell infection was on June 15, 2022. This means that malware went undetected in the company's systems for nearly three years, during which the attackers introduced several payloads across 23 servers. That investigation claims that 15 of the 23 infected servers contained personal customer information, including 291,831 IMEI numbers, though SK Telecom explicitly denied this in its latest press release. The investigation team also noted that SK Telecom started logging activity on the impacted servers on December 3, 2024. Therefore, any data exfiltration that may have occurred from June 2022 until then would not have been detected. SK Telecom continues to support its subscribers with SIM card replacements and elevated security measures activated automatically to protect their accounts, reporting that any malicious attempts launched against them are being effectively blocked. "We are technically ensuring that illegal USIM and device changes are completely blocked. However, if any damage does occur despite these efforts, we will take 100% responsibility," announced SK Telecom H/T - @mstoned7   Top 10 MITRE ATT&CK© Techniques Behind 93% of Attacks Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.