The hacking group allegedly supported by the Chinese government is being pointed to as the culprit behind the hacking of SK Telecom’s USIM information.
The joint private-public investigation team of SKT announced at a mid-term press briefing held at the government Seoul building on the 19th that approximately 27 million instances of USIM information, based on subscriber identification keys, were leaked due to attacks using BPF Door and derivative malware.
According to the telecommunications industry, BPF Door discovered on SKT’s servers is a backdoor program first reported three years ago. In a report published by PwC in 2022, it was revealed that the Chinese hacking group Red Mansion was using BPF Door while attacking telecom companies in the Middle East and Asia.
At that time, the Red Mansion was found to have sent commands to the BPF Door through routers in Taiwan that they had hacked in advance, intending to hide their IP addresses. American cybersecurity firm Trend Micro also identified Red Mansion, a Chinese advanced persistent threat (APT) group, as the concealed controller behind BPF Door in a report released last month.
Trend Micro noted that domestic telecom companies were targeted by BPF Door attacks in July and December 2024. According to the “Soft Cell Operation” report by global security firm Cybereason, attacks targeting telecom companies aim mainly to gather basic information for prolonged detailed tracking, allowing them to secretly determine communication patterns and social relationships by collecting data on call counterparts, times, frequencies, and location information of specific individuals over extended periods.
Within the domestic telecommunications industry, the analysis is that the SKT hacking incident is an extension of the US-China cyber warfare. The White House announced last December that China hacked into at least eight US telecommunications companies, accessing communication records of senior officials and politicians. It was also revealed that not only the US but also over dozens of other countries have been targeted by Chinese hackers.
The FBI also uncovered three large-scale cyber espionage organizations, Bolt Typhoon, Salt Typhoon, and Flex Typhoon, known to be supported by Chinese authorities, in October last year.
These groups have been found to be operating by embedding malicious software in over 260,000 small offices and IoT devices across 19 countries, including the US, Vietnam, and Romania.
According to The Wall Street Journal (WSJ), it is estimated that Chinese personnel involved in information collection and security operations could number as many as 600,000, with some Chinese hackers reportedly receiving government support. The WSJ also mentioned that during US-China negotiations last December in China and Switzerland, Chinese cyber officials referenced hacking of critical US civilian infrastructure such as ports and airport communications, suggesting that it was a result of US military support for Taiwan.
In light of the fact that Red Mansion, suspected of being behind the SKT hacking, had infiltrated and embedded malware in domestic telecom companies for as long as three years, there is analysis suggesting that they could be a hacking organization supported by the Chinese government.
The US Federal Communications Commission (FCC) announced this March that it began extensive investigations into the operations of Chinese companies included in the “Covered List,” which poses an unacceptable risk to US national security.
The “Covered List” is a list of companies deemed threats to US national security, and the FCC designated companies like Huawei and ZTE to this list in 2021. A representative from the domestic telecommunications industry conveyed that while the government is currently focused on identifying the cause and compensating for the SKT hacking incident, comprehensive risk assessments of hacking threats from a national security perspective and fostering the information protection industry, as seen in the US, should follow.