KT Security Incident Joint Investigation Team Releases Interim Report
It has been revealed that KT discovered 43 servers infected with malicious code in the past but failed to report them to the government.
On November 6, the joint public-private investigation team on KT security incidents, organized by the Ministry of Science and ICT, announced these interim findings.
Previously, in September, KT analyzed the call records of small payment fraud victims and discovered that an unregistered micro base station (femtocell) had accessed its internal network. KT then reported the breach to the Korea Internet & Security Agency (KISA).
Since September 9, the investigation team has analyzed the causes of three incidents: small payment and personal information leaks caused by illegal femtocells, indications of KT certificate leakage by a state-backed organization (as reported in the FRAC report), and a server breach discovered during a security inspection by an external company.
The team pointed out that KT’s femtocell management system was generally inadequate. All femtocells supplied to KT used the same certificate, so simply copying the certificate allowed illegal femtocells to access KT’s network. The certificate’s validity period was set to 10 years, meaning that once a femtocell had accessed the KT network, it could continue to do so indefinitely.
In addition, the femtocell manufacturer provided key information such as cell ID, certificates, and KT server IP addresses to subcontractors without any security management system. The investigation found that KT did not block abnormal IP addresses, such as those from other companies or overseas, when femtocells authenticated to the KT network.
Forensic analysis of the servers also revealed evidence that KT attempted to conceal the malicious code breach. Between March and July last year, KT discovered 43 servers infected with malicious code, including BPFdoor and web shells, but handled the issue internally without reporting it to the government. This constitutes a violation subject to a fine of up to 30 million won under the Act on Promotion of Information and Communications Network Utilization and Information Protection. KT reported to the investigation team that some of the infected servers stored information such as names, phone numbers, email addresses, and device identification numbers (IMEI).
There was also a delay in reporting the breach. On September 1, KT was notified by the police of unauthorized small payment incidents and blocked abnormal communication patterns, but did not report the incident until September 8, after confirming the illegal femtocell ID. This is also subject to a fine of up to 30 million won under the Act on Promotion of Information and Communications Network Utilization and Information Protection.
The scale of small payment damages is expected to increase. The investigation team plans to announce the final damage figures after verifying the current analysis method and checking for any unreported victims, in addition to the 368 victims and 243.19 million won in damages identified so far.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
