Investigation into Timing and Locations of Malicious Code
Examining VPN Vulnerabilities and Other Factors
The joint public-private investigation team currently probing the SK Telecom server hacking incident is working to determine the time of infiltration and locations where eight newly disclosed types of malicious code were introduced. On the 6th, the team stated that they are analyzing specific circumstances to ascertain whether these eight new types of malicious code were discovered on the Home Subscriber Server (HSS), where four types had been initially identified at the beginning of the hacking incident, or if they had been implanted on separate server devices.
On April 18, SKT detected abnormal traffic indicating data exfiltration at its security monitoring center, and subsequently confirmed the presence of malicious code on billing analysis equipment, along with evidence of file deletion. The following day, the company discovered signs of data leakage from the Home Subscriber Server (HSS), which handles device authentication for 4G and 5G subscribers during voice calls.
The Korea Internet & Security Agency (KISA), which is investigating the hacking incident, issued a notice on May 3 titled "Second Sharing of Threat Intelligence on Malicious Code Exploited in Recent Hacking Attacks and Advisory," stating, "During the response to recent telecom intrusion incidents, attacks targeting Linux systems have been confirmed," and disclosed eight additional types of malicious code.
The joint public-private investigation team, which is conducting forensic analysis on the discovery locations, time and method of introduction or creation, and pathways of the malicious code, commented that the findings are "still under review."
Within the security industry, there have been claims that the SKT hacking exploited vulnerabilities in VPN (Virtual Private Network) equipment from a company called Ivanti. However, it has not yet been confirmed whether the VPN equipment used on SKT's Linux-based servers was from Ivanti, Cisco, or another major vendor.
Ryu Junghwan, Vice President and Head of the Infrastructure Strategy Technology Center, stated in a daily briefing on the hacking incident, "Given the nature of telecom companies, the security of network equipment is important, but we are also maintaining security measures such as firewalls at the nodes connecting these devices, and we are keeping our security systems up to date." However, he added, "Our response was somewhat delayed as we were reviewing side effects related to last year's Microsoft Azure cloud outage," and stated, "We plan to complete the antivirus work by the end of July."
On May 3, the Ministry of Science and ICT conducted a security review of the three major telecom companies and major platform companies?Naver, Kakao, Coupang, and Woowa Brothers?and instructed the platform industry to also check for the presence of malicious code used in the SK Telecom hacking incident. This was intended to prompt a review of whether the VPN equipment used by these platform companies is vulnerable to the same malicious code.
At the time, the Ministry stated, "The SK Telecom intrusion incident that occurred on April 18 is a serious matter that serves as a wake-up call regarding the security and safety of the national network as a whole." A member of the joint public-private investigation team commented, "There have been no reports so far of any damage caused by the malicious code in the platform industry."
Meanwhile, on May 5, when SKT began suspending new subscriptions and number portability at all 2,600 T World direct and authorized stores nationwide, a total of 13,745 subscribers moved from SKT to other telecom companies (7,087 to KT and 6,658 to LG Uplus). Since SKT began automatically enrolling users in its USIM protection service, the number of subscribers leaving the company has decreased from over 30,000 in the latter part of last week.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
