**”Telecom Companies: ‘Our Investigation Shows It’s Not a Hack, but We’ll Cooperate for Transparency'”**
**Potential Involvement of Chinese Hackers… KISA Conducting Forensic Analysis and On-site Server Investigation**
(Seoul = News1) Reporter Yoon Joo-young – The security authorities have started investigating the servers of LG Uplus (032640) and KT (030200) after internal information was reportedly leaked. The aim is to analyze the extent and path of the leaks to assess the severity of the situation.
Both companies had previously conducted their own investigations and concluded that “clear evidence of cyber intrusion was not found.” Nonetheless, they are cooperating with the on-site server investigation to dispel security concerns pervasive in the telecom industry.
According to the Korea Internet & Security Agency (KISA) on the 2nd, the Ministry of Science and ICT and KISA have been conducting an on-site server investigation with the two companies since last month. They are also receiving related data for detailed forensic analysis.
In July, KISA identified the data leak from the two telecom companies through a tip-off from a white hat hacker. The details of the leak became clearer with the release of the report “APT Down: The North Korea Files” in the global hacking journal “Frack Magazine.”
The ongoing server investigation is on par with the ‘Public-Private Joint Task Force’ level during the SK Telecom (017670) USIM hacking incident. Under current information and communication network laws, companies must report breaches for such operations to proceed.
However, the two companies have not acknowledged breaches nor reported them to the authorities.
Park Yong-kyu, head of KISA’s Threat Analysis Division, explained, “Typically, KISA can support server investigations only if a company reports a breach,” adding, “While these two companies have not reported, they are voluntarily cooperating.”
The companies’ openness to investigation may be interpreted as an effort to demonstrate that there are no issues with their systems.
According to Frack Magazine’s report and security industry analysis, the scope of LGU+’s data leak is extensive. Specifically, source codes and databases for internal server management account authority management systems (APPM), information on 8,938 servers, and IDs and real names of 42,526 accounts including 167 employees and partners were leaked. Even suspicious access records up to April this year have been confirmed.
For KT, there were indications of leaked SSL keys. The certificates were valid at the time of the leak but have since expired.
There is also the possibility of leaks through partners’ employees’ authentication keys.
Meanwhile, the industry, including Korea University’s Graduate School of Information Security, has identified a Chinese hacker group as the potential masterminds behind the attacks. The collaboration among hackers was based on the Chinese language, and their attack methods and tools are similar to those of existing Chinese organizations.
The Ministry of Science and ICT stated it would transparently disclose any confirmed breaches involving the two telecom companies.