- Authentication management vulnerabilities were found in the process of connecting small base stations (femtocells) to KT’s network.

- The Investigation Team concluded that end-to-end encryption between the device and the core network had been disabled, allowing illegal small base stations (illegal femtocells) to obtain plaintext authentication information (Automated Response System [ARS], Short Message Service [SMS]).

- KT discovered 43 servers infected with malware such as BPFDoor between March and July 2024 but did not report them to the government.

- KT delayed reporting both the unauthorized small payment and the intrusion detected during the external security inspection.

The Joint Public-Private Investigation Team (hereinafter referred to as the “Investigation Team”) announced the interim findings of its investigation into the KT network intrusion incident on November 6.

On September 8, KT reported a security breach to the Korea Internet & Security Agency (KISA) after discovering that an unregistered illegal device had accessed its internal network while analyzing call histories of small-payment fraud victims. Given the seriousness of the incident involving financial damages and the need for in-depth analysis of the attack methods, the Ministry of Science and ICT (MSIT) established and has been operating the Investigation Team since September 9.

The Investigation Team has been analyzing three major cases:

 Small payment fraud and personal data leakage through illegal small base stations (illegal femtocells);

 Leakage of KT authentication certificates allegedly by a state-backed organization (as detailed in the Phrack Magazine report dated August 8, 2025);

 Server intrusion detected during KT’s third-party security inspection.

Based on these cases, the Investigation Team analyzed KT’s security weaknesses and the root causes of each incident.

Small Payment Fraud and Data Leakage via Illegal Small Base Stations (Illegal Femtocells)

Regarding incidents caused by illegal small base stations (illegal femtocells), the Investigation Team identified:

1. The extent of damages caused by illegal small base stations,

2. Problems in KT’s management and authentication processes for small base stations,

3. Scenarios for theft of small payment authentication information,

4. Past malware infections such as BPFDoor and related responses, and

5. Delays in incident reporting.

In the interim findings, the Investigation Team confirmed security deficiencies in KT’s operation and authentication of small base stations through inspection and testbed verification. The final report will include forensic analysis of seized illegal devices used by suspects to identify further threats and propose preventive measures.

1. Damages Caused by Illegal Small Base Stations

To fully assess the scope of damages, the Investigation Team requested that KT expand its analysis. KT reviewed approximately 4.03 trillion base station connection records and 150 million payment transactions between August 1, 2024, and September 10, 2025. Through this, it identified 22,227 subscribers whose information—including International Mobile Subscriber Identity (IMSI), device ID (IMEI), and phone number—had been exposed via 20 illegal small base stations, resulting in small-payment damages of KRW 243.19 million affecting 368 victims (announced on October 17).

However, damages prior to August 1, 2024, could not be identified due to missing communication logs, and some small-payment fraud cases lacked connection records. The Investigation Team plans to verify KT’s analysis methodology and ensure no victims were excluded before announcing the final tally.

2. Authentication Management Vulnerabilities in Small Base Station Connections

The Investigation Team found that KT’s authentication management for small base stations was insufficient, allowing illegal devices to easily connect to the internal network. All small base stations supplied to KT used a common authentication certificate, meaning any copied certificate could be used by an illegal base station to connect to KT’s network. Additionally, the certificates were valid for ten years, enabling long-term unauthorized access once a connection had occurred.

It was also found that manufacturers had shared sensitive information—including cell accounts (Cell IDs), certificates, and KT’s IP information—with subcontractors without proper security controls, and such data could be easily extracted from the devices. Furthermore, KT did not block abnormal or foreign IP addresses during the authentication process, nor did it verify whether device information such as unique identifiers and installation locations matched registered data.

In addition, on September 10 the three major telecom operators were instructed to temporarily suspend new small base station connections to prevent further illegal access, and KT was required to implement the following measures:

 Shorten certificate validity periods from 10 years to 1 month (September 10),

 Block non-KT IP addresses from network access (September 23),

 Verify hardware identifiers and installation data at the time of connection (October 3), and

 Issue separate authentication certificates per device (November 5).

3. Theft of Small Payment Authentication Information

KT encrypts communications between devices and base stations, and between devices and the core network, following 3GPP and TTA standards. However, based on expert analysis and testbed experiments, the Investigation Team concluded that attackers could disable end-to-end encryption. When encryption was disabled, illegal small base stations were able to intercept plaintext authentication information such as ARS and SMS codes.

The team will continue testing to confirm whether voice calls and text messages could also be intercepted via illegal small base stations.

< Encryption Systems Used by Telecommunication Providers >

The three major telecom operators apply encryption in accordance with standards set by the 3rd Generation Partnership Project (3GPP) and the Telecommunications Technology Association (TTA) of Korea.

 (Segment encryption) Encrypts data packets as they traverse various network sections, such as wireless and internet segments. Note: Encryption is not applied within the trusted network segments inside the carrier’s facilities.

 (End-to-end encryption) Encrypts the communication data itself from the user device all the way to the core (central) network. This includes encrypting both SMS and voice signaling* all the way from the device to the core network, even within the carrier’s facilities.

*Signaling refers to information used for identifying the other party and managing session connections and disconnections during a call.

4. Previous Malware Infections and Unreported Incidents

Through digital forensic analysis, the Investigation Team found that between March and July 2024, KT detected 43 servers infected with malware such as BPFDoor and web shells but failed to report them to the government. Some of these servers contained personal data such as names, phone numbers, email addresses, and device identifiers (IMEIs). The Investigation Team views this matter seriously and intends to request appropriate actions from the relevant authorities.

*Violation of the Act on Promotion of Information and Communications Network Utilization and Information Protection – subject to fines up to KRW 30 million

5. Delayed Reporting of Intrusion Incidents

KT was informed by the police on September 1 of unauthorized small-payment cases in specific regions. Although it detected and blocked abnormal network patterns by September 5 (03:00), KT did not report the intrusion until September 8 (19:16), after identifying illegal small base station accounts.

*Violation of the Act on Promotion of Information and Communications Network Utilization and Information Protection – subject to fines up to KRW 30 million

Suspected Leakage of KT Certificates by a State-Backed Organization

Regarding the findings reported in the August 8 Phrack Magazine report about the suspected certificate leakage by a state-backed organization, KT informed KISA that it had decommissioned the related servers on August 1. However, it was later confirmed that the decommissioning actually took place in stages between August 1 and 13, and KT failed to submit backup logs until September 18. The Investigation Team determined that KT’s actions demonstrated intent to obstruct the government investigation and referred the case to the investigative authorities on October 2 under Article 137 of the Criminal Act (Obstruction of Performance of Official Duties by Fraudulent Means).

Server Intrusion Identified During External Security Inspection

An external audit conducted on September 15, 2025, detected intrusion traces in KT’s internal servers. KT, however, delayed reporting the incident until September 18 (23:57). The Investigation Team is currently recovering and analyzing digital evidence to determine the cause and assess security vulnerabilities.

*Violation of the Act on Promotion of Information and Communications Network Utilization and Information Protection – subject to fines up to KRW 30 million

The Investigation Team is analyzing illegal devices seized from suspects involved in the unauthorized small payment fraud in cooperation with the police and is investigating, along with the Personal Information Protection Commission, how the suspects obtained the personal information used in these transactions.

The MSIT will transparently disclose the final investigation results to the public, and, based on the confirmed facts and additional findings, will conduct legal reviews to determine whether customers who terminate their contracts with KT due to this incident may be exempt from early termination penalties under KT’s service terms.

For further information, please contact the Public Relations Division (Phone: +82-44-202-4034, E-mail: msitmedia@korea.kr) of the Ministry of Science and ICT. 

Please refer to the attached PDF.