Malware sat undiscovered on SK telecommunications servers for 3 years, with 27 m user records leaked through

A common team of private and public investigators found that the malware, which was responsible for the SK telecommunications data, was installed three years ago and compromised 27 million USIMs, which means that the overall samples of SK Telecom were exceeded. The new findings also show the possibility that the identity numbers (International Mobile Equipment Identity), which were not compromised in previous announcements, are also leaked through.
The Ministry of Science and ICT revealed on Monday during a press conference in the government complex in Seoul that the first malware was installed on a SK telecommunications server on June 15, 2022. The Ministry confirmed that 9.82 gigabytes of Usim infrantations were leaked through, including about 26.9 million international subscribers -subscription identity number (IMSI). SK Telecom currently has 25 million subscribers, including users of mobile virtual network operators (MVNO) who use the SK Telecom network.
Information has appeared to confirm concerns about the possible leaks of IMEI numbers that can be used for the cloning phones. Through a thorough analysis of the 23 chopped servers, the investigators found that two servers, which were linked to the integrated customer authentication server, stored temporary files that contained 291,831 IMEI numbers.
However, the joint task force explained that after the Firewall protocols of the server from December 3, 2024 to April 24, 2025, there is no data leak from IMIS, but there is no way to confirm whether between June 15, 2022 and December 2, 2024, due to the disappearance of the protocol data records. While it is impossible to investigate data injuries due to the lack of such protocol data records, the possibility that IMIS has been leaked through during this time cannot be completely excluded.
Last month, on April 29, as SK telecommunications customers, in local branches of the communications company to replace their SIM cards, the government announced that the data injury had not given any IMEI numbers, and claimed that customers would not be affected by telephone clone. Since the government changed its melody less than a month later, the credibility of the investigation is likely to be questioned.
This investigation of the middle examination confirmed that 23 SK telecommunications servers were infected with malware, 18 more than the first results of five servers. Fifteen of these servers were forensic and detailed, and the remaining eight wait for such an analysis. A total of 25 types of malware-24 malignant malicious codes from the BPFDoor type and a web shell code were discovered in the affected servers.
When asked whether the fifth round of investigations on the infected servers would identify additional leaked information, Ryu Je-Myung, the deputy minister of science and ICT: “It is difficult to give a clear answer to this question.”

By Sun Dam-Eun, Staff Reporter

Please direct questions or comments [english@hani.co.kr]