[Public-Private Joint Investigation Team – Summary of Findings] 

 Methodology: Given intense public concern and the stealthy nature of the malware, all 42,605 SK Telecom (SKT) servers were scanned for BPFDoor and other malicious code.

 Infection status: 28 servers were infected; 33 malware strains were identified and removed (27 BPFDoor, 3 TinyShell, 1 WebShell, 2 open-source C2 frameworks—CrossC2 and Sliver).

 Data exfiltrated: 25 categories of USIM data (9.82 GB; roughly 26.96 million IMSI records) were leaked.

 Root causes: Poor credential management, inadequate response to a February 2022 breach, and failure to encrypt critical data.

 Recurrence-prevention: Mandatory strengthening of password controls, encryption of key data, CEO-level security governance, and an increase in security staffing and budget.

 Determination on the Early-Termination Penalty Waiver:

- Negligence confirmed – SK Telecom failed to fulfil its duty of care to protect USIM data and did not comply with relevant regulations.

- Principal duty breached – Because the leaked USIM data can enable SIM-cloning and call/message interception, the company did not deliver the secure telecom service required under the contract.

- Waiver therefore applies – In light of both negligence and breach of a major obligation, Article 43 (Waiver of Early‑Termination Penalty) of the company’s Terms & Conditions can be invoked by subscribers affected by this incident.

The Ministry of Science and ICT (Minister Yoo Sang-im, hereafter “MSIT”) today announced the final results of the Public-Private Joint Investigation Team (hereafter “Team”) investigation into April’s SK Telecom (SKT) cybersecurity breach, together with MSIT’s legal determination on whether SKT’s early-termination fee waiver clause applies.

I. SK Telecom Cybersecurity Breach: Cause Analysis and Recurrence-Prevention Plan

Background

At 11:20 p.m. on April 18, 2025, SK Telecom detected abnormally large outbound traffic. The company notified the Korea Internet & Security Agency (KISA) at 4:46 p.m. on April 20, thereby exceeding the 24‑hour statutory reporting window set by the Act on Promotion of Information and Communications Network Utilization and Information Protection ("Network Act"), which allows fines of up to KRW 30 million for late reporting.  Recognizing the gravity of the USIM-data leak, the Ministry of Science and ICT (MSIT) established a Public‑Private Joint Investigation Team (“the Team”) on April 23, 2025 to determine the scope, cause and impact of the breach.

1. Methodology

Because the incident involved the nation’s largest mobile carrier, featured highly stealthy BPFDoor malware, and exposed subscribers to SIM‑cloning risk, the Team conducted a full forensic inspection of all 42,605 servers operated by SKT between April 23 and June 27. Compromised servers then underwent in‑depth analysis to verify any data exfiltration.

2. Compromised Servers and Data-Leak Scale

 The investigation identified 28 infected servers carrying 33 malware variants (27 BPFDoor, 3 TinyShell, 1 WebShell, 1 CrossC2, 1 Sliver).

 The Team shared information about the malware characteristics with antivirus vendors, the Korean National Police Agency and the National Intelligence Service. A public inspection guide posted on BohoNara (www.boho.or.kr) had recorded about 129,000 page views as of June 30, 2025.

 A total of 25 categories of USIM data, including International Mobile Subscriber Identity (IMSI), amounting to 9.82 GB (approximately 26.96 million records), were confirmed leaked.

 Among the infected hosts, two servers temporarily stored International Mobile Equipment Identity (IMEI) numbers and personal data (names, birth dates, phone numbers, e‑mails) in plain text, while one server stored plain‑text Call Detail Records (CDR).

- Firewall logs show no evidence of exfiltration for IMEI data between Dec. 3, 2024 and Apr. 24, 2025, nor for CDR data between Dec. 9, 2024 and Apr. 20, 2025.  

- Because logs are missing for IMEI data from Jun. 15, 2022 to Dec. 2, 2024 and for CDR data from Jan. 31, 2023 to Dec. 8, 2024, leakage during those periods cannot be ruled out.

3. Reconstruction of the Attack Path

(1) Initial Foothold (Aug. 6, 2021 onwards): The attacker gained access to Server A in the Internet-facing system-management subnet and on Aug. 6, 2021 installed the multi-function back-door CrossC2. At that time, Server A held—in unencrypted form—the IDs and passwords of other management-subnet hosts. It is inferred that the attacker reused those credentials to sign in to Server B, as the same ID/password pair appears in multiple authentication logs.

Server B, in turn, stored plain-text admin credentials for the HSS management server (Home Subscriber Server management node). Using those credentials, the attacker logged into the HSS management server on Dec. 24, 2021 and implanted BPFDoor on the HSS management server and on associated HSS nodes (voice-call authentication servers) between Dec. 24, 2021 and Jan. 1, 2022.

(2) Additional Staging (Jun. 15 & 22, 2022): It is inferred that the attacker pivoted from the system-management subnet to the customer-management subnet and deployed a WebShell plus additional BPFDoor payloads on servers in that subnet. Network flow records confirm traffic between the infected management-subnet host and customer-subnet IPs on both dates.

(3) Long-Term Persistence (Nov. 30, 2023 – Apr. 21, 2025):  Because administrative passwords had no expiry and had not been rotated for years, the attacker periodically logged back in, installed fresh malware payloads, and updated existing implants, thereby expanding footholds across multiple management-subnet servers.

(4) Data Exfiltration (Apr. 18, 2025): Using the long-lived credentials, the attacker accessed three HSS nodes, compressed 9.82 GB of USIM data, and exfiltrated the archive through Server C, which retained outbound Internet connectivity.

4. Problems Identified and Measures to Prevent Recurrence

A. USIM‑Information Leak — Core Causes & Remedies

① Poor credential management: SKT stored server login IDs and passwords in plain text—even for the HSS management server infected on Dec. 24 & 30, 2021—in violation of ISMS guidelines, which ban storing passwords on paper, files or mobile devices and require encryption if storage is unavoidable.

→ Restrict any recording of passwords and, if unavoidable, store them in encrypted form while introducing multi-factor authentication.

② Inadequate response to the 2022 anomaly (Feb. 23, 2022): An abnormal reboot led SKT to inspect the affected server cluster and remove malware, yet the company failed to file the mandatory incident report required by Article 48-3 of the Network Act—an omission subject to an administrative fine of up to KRW 30 million. During that inspection SKT also spotted suspicious log-in attempts on the very HSS management server later implicated in the 2025 breach, but reviewed only one of six available log files, missing the attacker’s access traces.

→ Comply with the statutory 24-hour reporting duty and perform full root-cause analysis for every abnormal event to prevent wider damage.

③ Failure to encrypt critical information: The USIM authentication key (Ki) was stored in plain text, contrary to GSMA (Global System for Mobile Communications Association) recommendations and the practice of peers (KT, LG U+).

→ Encrypt Ki and other key fields in line with domestic law and GSMA guidance.

B. Network Act Violations

① Late or missing incident reports: The main breach was reported after the statutory deadline—since Aug. 14, 2024, the Network Act has required that any incident be reported within 24 hours, whereas before that date carriers were only told to report “immediately.” In addition, two TinyShell-infected servers were never reported at all.

→ Infringements are punishable by an administrative fine of up to KRW 30 million under Article 76 of the Network Act.

② Breach of data‑preservation order: MSIT issued a preservation order at 5:42 p.m. on Apr. 21; by 7:52 p.m. that day, SKT had altered two servers, rendering forensic imaging impossible.

→ Case to be referred for criminal investigation (up to 2 years’ imprisonment or KRW 20 million fine, Article 73 of the Network Ac).

C. Security Activity & Governance Gaps

① Security management deficiencies: Annual server audits did not include WebShell detection; phone‑number masking rules were stored without adequate protection on the server that temporarily held CDR data.

→ Expand EDR (Endpoint Detection and Response) and antivirus coverage, adopt Zero‑Trust architecture and run vulnerability scans on all assets at least quarterly.

② Supply‑chain control failure: Software supplied by a contractor was installed on 88 servers without screening; the package contained dormant malware.

→ Establish a full supply-chain security programme.

③ Fragmented governance: Although Article 45-3 of the Network Act requires a single Chief Information Security Officer (CISO) to oversee all security functions, SK Telecom’s CISO covered only the IT domain (57 % of assets), leaving the network domain (43 %) under separate supervision.

→ Elevate the CISO to report directly to the CEO and grant enterprise-wide authority, in full compliance with Article 45-3.

D. Other Areas Requiring Improvement

① Short retention of firewall logs: Although SKT rules require six‑month retention, logs were kept only four months, limiting the Team’s ability to trace data leakage.

→ Retain logs for at least six months and manage them through a central log-management system.

② Incomplete asset inventory: During the full‑server inspection, SKT lacked a central record of asset types, quantities and lifecycle status.

→ Create a Chief Information Officer (CIO) role and deploy an IT‑asset‑management solution.

③ Under-resourced security: 2024 disclosures show 15 security staff and KRW 3.79 billion per one million subscribers (including SK Broadband), below the telco average of 17.7 staff and KRW 5.74 billion.

→ Increase headcount and spending to at least peer‑carrier levels on a per‑subscriber basis.

5. Follow-up Measures

MSIT has instructed SKT to submit an implementation plan reflecting all of the above measures by July 2025. The company must execute the plan between August and October 2025, after which MSIT will conduct an on-site audit in November–December 2025. Any deficiencies will trigger corrective orders under Article 48-4 of the Network Act.

Moreover, MSIT views the breach as a catalyst for reforming private‑sector cybersecurity ahead of the AI era. In consultation with the dedicated SKT Breach Task Force  under the Science, ICT, Broadcasting and Communications Committee of the National Assembly, MSIT will prepare:

 a separate legal framework to safeguard telecom networks critical to the public and industry;

 schemes to incentivize greater private‑sector cybersecurity investment; and

 governance reforms to strengthen executive accountability.

II. Applicability of the Early‑Termination Penalty Waiver

1. Overview of the Waiver Clause

SK Telecom’s Terms and Conditions stipulate that when the subscriber terminates the service for reasons attributable to the Company, the early‑termination penalty shall be waived.

Article 43 (Waiver of Early‑Termination Penalty)

① In any of the following cases, the obligation to pay the penalty set out in Article 42 (1) shall be waived: 

4. Where the contract is terminated for reasons attributable to the Company.

2. Sequence of Legal Opinions

After the breach, a National Assembly hearing on May 8, 2025 and various media outlets argued that subscribers should be exempted from penalties if they cancel during the contract term. To clarify whether the waiver clause applies, MSIT sought two rounds of external legal advice.

 Initial review (April 2025; four institutions) – Conducted at the early stage of the investigation with limited facts. All four advisers answered that the waiver could apply if SK Telecom’s negligence were later confirmed.

 Comprehensive review (June 26 – July 2, 2025; five institutions) – Based on the completed forensic record, four advisers concluded that the incident was due to SK Telecom’s negligence and that the USIM‑data leak constituted a breach of the Company’s principal contractual obligation, therefore the waiver clause applies. One adviser reserved judgment, citing insufficient information.

3. Key Issues and Findings

MSIT examined two questions: (i) whether SK Telecom was negligent in the breach, and (ii) whether the Company violated its principal obligation to provide secure telecommunications service.

① Negligence: The Joint Investigation Team identified three systemic faults — (a) poor credential management, (b) inadequate response to an earlier 2022 incident, and (c) failure to encrypt critical information — as well as violations of the Network Act. Accordingly, MSIT finds that SK Telecom failed to exercise the level of care normally expected of a telecom operator and therefore acted negligently.

② Breach of principal contractual obligation: Under the Network Act, telecom carriers must provide safe services. Because daily life relies on such services, subscribers reasonably expect appropriate protective measures. The leaked USIM data constitute an indispensable element of secure network access; once exposed, a third party could clone the SIM and (without additional safeguards) make calls or intercept calls/messages using the subscriber’s number.

At the time of the leak, SK Telecom operated Fraud Detection System (FDS) 1.0 (since August 2023) and the USIM Protection Service (since November 2023, subscribed by only about 50,000 customers). FDS 1.0 could not block all forms of SIM‑cloning. MSIT therefore concludes that SK Telecom failed to fulfil its principal obligation to protect USIM data and to provide a secure service.

MSIT’s Determination on the Waiver Clause

Because (a) negligence is established and (b) the principal contractual duty was breached, MSIT rules that the incident constitutes a “reason attributable to the Company” under Article 43 of SK Telecom’s Terms & Conditions.

MSIT emphasizes that this ruling is confined to SK Telecom and this specific breach, and is not a general precedent for all cyber-security events.

Minister’s Remarks

MSIT Minister Yoo Sang-im stated:

“This breach is a wake-up call for Korea’s entire networked ecosystem—not just the telecom sector. As the country’s leading mobile carrier, whose services touch nearly every aspect of daily life, SK Telecom must treat every weakness exposed by this incident with utmost urgency, remedy them completely, and elevate information security to the very top of its management agenda.”

He added:

“In the coming era of artificial intelligence, cyber-threats will merge with AI tools and become even more sophisticated and precise. The government will therefore overhaul the entire security lifecycle—from prevention and early detection to rapid response—so that Korea can emerge as a safe and globally trusted AI powerhouse.”

For further information, please contact the Public Relations Division (Phone: +82-44-202-4034, E-mail: msitmedia@korea.kr) of the Ministry of Science and ICT. 

Please refer to the attached PDF.