SKT Hacking Program Also Found Here... What Is 'GitHub'?

The malicious code 'BPFdoor,' which was used to leak subscriber USIM information from SK Telecom (SKT), is already publicly available on GitHub, a developer platform for sharing and collaborating on open source program code. In other words, anyone can use this program to launch a cyberattack if they wish. While GitHub is a core community for maintaining the open source ecosystem, it has recently emerged as a battleground between hacker groups seeking to exploit it and security experts working to defend against them.

GitHub logo. GitHub

BPFdoor is known as a piece of malware favored by the Chinese hacker group 'RedMenshen' in the late 2010s. It was first mentioned in a 2022 report by global consulting firm PwC. BPFdoor is a type of malicious code that implants a 'backdoor' in server networks.

BPF was originally developed to ensure smooth network operations, but RedMenshen modified parts of its source code to turn it into a hacking tool called BPFdoor. BPFdoor typically lies dormant within a system, activating only when a hacker sends a specific command, at which point it exfiltrates critical data. At one time, RedMenshen used BPFdoor to cause significant trouble for banks, telecommunications companies, hospitals, and government agencies across Asia.

To make matters worse, in 2022, RedMenshen released the source code of BPFdoor for free on GitHub. This means anyone can now download BPFdoor from GitHub and commit the same hacking crimes. As a result, it is no longer possible to identify RedMenshen as the sole perpetrator behind cyberattacks using BPFdoor. This was a calculated move to exploit the nature of GitHub as a free open source platform.

Since the source code of RedMenshen's BPF door was released, related samples have been shared on GitHub. The photo shows a BPF door shared as a research sample in 2023. GitHub

GitHub is a US-based programming community website established in 2008, where anyone can freely share the source code of programs they have developed. Today, more than 150 million programmers use GitHub worldwide, and it is estimated that about 2.33 million developers in South Korea alone are registered on the platform. Due to its overwhelming influence in the IT industry, GitHub was valued at $7.5 billion (approximately 10.5 trillion won) in 2018, and was acquired by Microsoft (MS) that same year, becoming its subsidiary.

However, because GitHub guarantees open source sharing and user anonymity, it is also used as a hideout by hackers. Incidents involving the leak of malicious code from GitHub, resulting in massive financial losses, are not uncommon. In February, global security company Kaspersky detected hundreds of malicious programs in a single GitHub repository. Investigations revealed that hackers had already used these programs to inflict $480,000 (approximately 670 million won) in Bitcoin losses.

SKT Hacking Incident.

However, it would be premature to brand GitHub solely as a hotbed of cybercrime. Just as hackers exploit GitHub, security professionals and white hat hackers (those employed by security companies to prevent hacking crimes) also rely on GitHub as a valuable source of information.

When new malicious code or ransomware appears on GitHub, security professionals meticulously analyze the source code to identify potential vulnerabilities. Most of the first reports warning about the characteristics or risks of new malware are also posted on GitHub before anywhere else. Today, GitHub is more like a silent battlefield where hacking criminals and security experts clash in real time.

Security experts still believe that GitHub's positive functions outweigh its negative consequences. A security industry official explained, "GitHub is such a vast platform that truly dangerous malicious code does get released from time to time," but added, "With a few exceptions, most malicious code samples are refined for research purposes and are uploaded in a safe form, with antivirus solutions usually already developed."

The official continued, "In fact, security professionals are becoming even more dependent on GitHub. These days, it is extremely rare to find a security developer working without GitHub," emphasizing, "There is no community as large and important as GitHub for analyzing and researching truly dangerous malware samples."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.