A month has passed since SK Telecom’s hacking incident first came to light on Apr. 22, yet many critical questions remain unanswered.
Who breached the South Korean telecom giant’s heavily fortified firewall? How did they manage to infiltrate the system? Can the perpetrators be tracked down?
Another mystery lies in the hackers’ intent: Why did they target nearly 27 million USIM records, and how is it that no cases of financial fraud or unauthorized authentication using the leaked data have been reported so far?
The fact that the hackers had been inside SK Telecom’s systems for at least three years has raised further questions—chief among them, whether more data was stolen during that time without anyone knowing.
Some experts say the attack resembles an advanced persistent threat, or APT—a long-term, targeted cyber assault that has affected telecom networks in multiple countries since around 2021.
Given the nature and sophistication of the breach, many are calling for coordinated international efforts to investigate the case and prevent similar incidents in the future.
Q1. Who carried out the hacking?
Many experts believe the hackers were a highly skilled group with considerable financial resources. SK Telecom, which has about 25 million subscribers, has repeatedly emphasized that it had world-class security measures in place.
Nevertheless, the attackers managed to covertly plant malicious code in servers storing sensitive customer data—such as names, phone numbers, and dates of birth—and succeeded in stealing some of that information. SKT remained unaware of the malware’s presence for at least three years until the breach came to light.
Some speculate that the hackers may have ties to a Chinese group, citing the use of “BPFdoor,” a type of malware previously linked to long-term cyberattacks against major institutions around the world. There are also suspicions that North Korea may have been involved.
“The development methods for this kind of malware are now widely known, so it’s difficult to identify the hackers based on the tools alone,” a telecom industry official said.
“But the scale and sophistication of the attack strongly suggest it may have been carried out by a large hacking organization, possibly backed by a nation-state,” he added.
Q2. What was the motive behind the attack?
So far, the hackers have made no demands and have not attempted to leverage the stolen data or the planted malware to pressure SK Telecom—leading many to believe that the primary aim was to steal customer data.
Cyberattacks motivated by financial gain typically target information used in banking transactions, such as names and addresses, and are often followed by ransom demands. Last year’s breaches at France’s second-largest telecom provider, FREE, and the United States’ largest carrier, AT&T, are examples of such cases.
The prevailing view is that the hackers were after core customer data from the beginning. That said, the information known to have been leaked so far includes about 25 million phone numbers and IMSI (International Mobile Subscriber Identity) keys—data that experts say does not yet pose a serious threat to the average consumer.
A joint investigation team also confirmed that more sensitive personal information—such as full names, resident registration numbers, and home addresses—was not leaked.
Still, concerns remain. Given that SK Telecom was unaware of the malware for three years, investigators say the possibility of additional, undiscovered data leaks cannot be ruled out.
Q3. What comes next in the investigation?
Similar attacks have recently targeted telecom providers in other countries. In September last year, nine telecom companies in the United States—including AT&T, Verizon, and T-Mobile—were breached, resulting in the leak of data from approximately 1 million subscribers.
Much of the stolen information reportedly consisted of call and text message records. Among those affected were individuals affiliated with the election campaigns of Donald Trump and Kamala Harris.
“This is a classic case of an advanced persistent threat,” said Kim Seung-joo, a professor at Korea University’s Graduate School of Information Security. “The attackers pick their target ahead of time, sneak into the system quietly, and slowly take it over step by step.”
S. Korean police are currently leading the investigation into the breach. Authorities have found signs that the attackers attempted to conceal their tracks, including evidence that authentication data stolen from SK Telecom was routed through Singapore before being moved elsewhere.
“This is a case that will require time and international cooperation,” said Ko Hak-soo, chair of the Personal Information Protection Commission.
