SKT Users Waiting to Replace SIM Cards
(Seoul=Yonhap News) Reporter Lee Seung-yeon – On the 28th, people were seen waiting outside an SK Telecom store in Seoul to replace their SIM cards. 2025.4.28 [Photo by Lee Seung-yeon]
(Seoul=Yonhap News) Reporter Cho Hyun-young – The joint public-private investigation team examining the SK Telecom cybersecurity breach has further confirmed evidence that servers storing device unique identifiers (IMEI) and personal information were attacked, increasing concerns over data leakage.
The SKT cybersecurity breach investigation team released their initial findings on March 29 and announced the second phase of results on the 19th.
In their first report, the investigation team identified four types of malware and five infected servers; this day, they announced an additional 21 types of malware and 18 infected servers.
Notably, the newly identified infected servers were found to contain personal information provided by subscribers during registration, such as IMEI, names, birthdates, phone numbers, and email addresses.
The investigation revealed that 291,831 IMEI records stored on the server were not leaked between December 3, last year, and April 24, this year. However, there is no log data from June 15, 2022, to December 2, 2024, when the malware was first installed, making it uncertain whether the data was leaked, according to the investigation team.
Experts explained that if the IMEI data was leaked during the period with no log records, there is an increased risk of “SIM swapping” and other potential threats.
SIM swapping is a fraud technique where a SIM card is cloned and used in another smartphone to engage in illegal activities. Until the first investigation, it was confirmed that IMEI data had not been leaked, lowering the possibility of SIM swapping.
Professor Hyoung-ryul Yeom from Soonchunhyang University’s Department of Information Security stated, “If IMEI data has been leaked, the likelihood of SIM swapping attacks increases,” and added, “The effectiveness of SIM protection services could also be in question.”
However, another industry representative clarified that there hadn’t been any reported damage associated with IMEI leakage, and even if it had been leaked, cloning a smartphone would be challenging.
The representative emphasized that “Manufacturers have unique authentication values for each device, so simply using the 15-digit IMEI number cannot facilitate smartphone cloning.”
Professor Yeom also explained that financial damage from personal data leakage is unlikely with the information currently stored on the server.
However, experts agree that the more types of leaked information there are, the greater the potential for hackers to misuse it.
In addition to the previously known BPFDoor malware, a “web shell” has also been identified.
Experts clarified that a web shell is merely a method used alongside the BPFDoor technique to create a channel for hackers to access the web server, and it doesn’t necessarily introduce additional risk.
Professor Jong-in Lim from Korea University’s Graduate School of Information Security compared a web shell to essentially a communication channel between the hacker and the internal server, adding, “It’s a characteristic of BPFDoor, not something separate.”
Some concerns were raised about focusing solely on personal data leakage in the SK Telecom hacking incident.
Professor Lim pointed out, “The purpose of this hack might not be personal data theft, as none of the stolen data has appeared on the dark web even a month after the breach. The aim could be to deploy malware on crucial national figures and infrastructures to paralyze the state in emergencies.”