Seoul: Cybersecurity Gaps Exposed at KT Corp. Following Malware Incident
In a troubling development, KT Corp., South Korea’s second-largest mobile operator, has been implicated in a significant cybersecurity breach involving the concealment of malware infections. An investigation led by government authorities uncovered that the company failed to disclose critical security breaches associated with a recent hacking incident that resulted in substantial data theft.
The inquiry revealed that between March and July 2024, KT became aware that 43 of its servers had been infected with BPFDoor malware and additional malicious code. This oversight included the handling of customer information, such as names, phone numbers, email addresses, and international mobile equipment identity (IMEI) data. Instead of promptly reporting the security incidents to relevant authorities, KT opted for internal resolution, allowing the situation to escalate.
BPFDoor malware is particularly concerning as it enables attackers to bypass firewall protections and maintain persistent access within compromised systems. Notably, this type of malware was previously linked to a separate cyberattack against SK Telecom, indicating a worrying trend among South Korean mobile carriers.
The investigation has raised significant alarms regarding KT’s femtocell management systems, which are small, low-power cellular base stations commonly used in residential and commercial settings. The vulnerabilities identified allowed unauthorized devices to gain access to KT’s internal networks. Consequently, hackers were able to disable end-to-end encryption, facilitating the interception of user payment authentication data, which could have far-reaching implications for customer security and trust.
As a result of these findings, the Ministry of Science and ICT has announced plans for a legal review to determine whether KT’s actions constitute breaches of regulatory laws and if grounds exist for customer compensation. The investigation was prompted by an alarming incident in August, where 368 KT customers suffered financial losses amounting to 240 million won (approximately $167,000) due to illicitly operated micro base stations.
In response to growing concerns about data security, KT has begun offering free universal subscriber identity module (USIM) replacements to all customers. However, the company’s troubles may not end there, as KT faces potential legal repercussions for allegedly obstructing justice by providing false information during the investigation.
Examining the potential tactics employed in this breach, the methods used align with several techniques outlined in the MITRE ATT&CK Matrix. Initial access could have been achieved through the exploitation of vulnerabilities within KT’s femtocell management system. Furthermore, persistence may have been established via the BPFDoor malware, enabling cybercriminals to maintain their foothold in the compromised environment.
Law enforcement authorities have also been notified of KT’s actions, which may result in financial penalties similar to those imposed on SK Telecom, which faced a fine of 134.7 billion won for its own data breach earlier this year. In a statement following the government briefing, KT expressed its commitment to addressing the investigation’s findings and apologized for the lapse in reporting the data breach.
As the investigation unfolds, the implications of this incident serve as a stark reminder of the importance of diligent cybersecurity measures and the need for transparency when addressing data breaches in today’s interconnected environment.
