Interim Findings from the KT Breach Joint Investigation Team
Infected Servers Not Reported, Exposed by Forensic Analysis
Femtocell Authentication Flaws Raise Concerns Over Expanding Small-Amount Payment Fraud
"Business Suspension Considered if KT Faces USIM Replacement Supply Crisis"
It has been found that KT discovered 43 servers infected with malware in the past but failed to report them to the government.
The joint public-private investigation team on the KT breach incident, organized by the Ministry of Science and ICT, announced these interim investigation results on November 6.
Previously, in September, KT analyzed the call records of victims of small-amount payment fraud and discovered that unauthorized illegal devices, not registered with the company, had accessed the internal network. KT then reported the breach to the Korea Internet & Security Agency (KISA).
Since September 9, the investigation team has analyzed three cases: small-amount payment and personal information leaks caused by illegal femtocells; indications of KT certificate leaks by a state-sponsored group (as reported by Prack); and server breaches discovered during security inspections conducted by external vendors. The team investigated these incidents to determine their causes.
As a result, evidence emerged that KT attempted to conceal the malware breach. Between March and July of last year, KT discovered 43 servers infected with malware such as BPFdoor and web shells, but handled the issue internally without reporting it to the government. This is subject to a fine of up to 30 million won under the Information and Communications Network Act. KT later reported to the investigation team that some of the infected servers contained stored information such as names, phone numbers, email addresses, and device identification numbers (IMEI).
The investigation team explained that forensic analysis of the servers revealed traces of antivirus software, indicating hacking activity. However, unlike the SK Telecom hacking incident, it is still unclear whether the HSS servers containing key subscriber information were compromised, the scale of the personal information leak, or whether the attackers are the same as those in the SKT case.
Choi Woohyuk, head of the investigation team, stated, "Since all BPFdoor malware had been deleted, it did not appear in the comprehensive inspection conducted by authorities after the SKT hacking incident. The 43 affected servers are the number disclosed by KT itself, and further investigation through forensics is needed to determine the scope and scale of the hacking."
He added, "There is no evidence yet of USIM key leaks required for illegal phone cloning. We will thoroughly examine whether there is any connection to the newly discovered incidents by the end of the year."
Regarding KT's attempts to conceal the breach, he said, "We are taking this very seriously and plan to clarify the facts and request appropriate action from relevant agencies."
Choi Woohyuk, Director of the Network Policy Office at the Ministry of Science and ICT, is announcing the interim investigation results of the KT breach incident on the 6th at the Government Seoul Office. Photo by Noh Kyungjo
The investigation team also reported that it has requested a police investigation into KT on charges of "obstruction of official duties by fraudulent means" under the Criminal Act, in connection with KT discarding servers after Prack, a U.S. security media outlet, warned of possible server hacking.
KT responded to KISA in August that it had disposed of the relevant servers. However, the investigation revealed that KT disposed of servers on multiple dates-two servers on August 1, four on August 6, and two on August 13. KT did not report the backup logs for the discarded servers until September 18.
Delayed reporting of the breach was also detected. KT received information from the police about unauthorized small-amount payments on September 1 and blocked abnormal communication patterns, but only reported the incident on September 8 after confirming the illegal femtocell ID. This is also subject to a fine of up to 30 million won under the Information and Communications Network Act.
The investigation team pointed out that KT's femtocell management system was generally inadequate. All femtocells supplied to KT used the same certificate, meaning that simply copying the certificate allowed illegal femtocells to access the KT network. With the certificate validity period set to 10 years, any femtocell that had ever accessed the KT network could continue to do so indefinitely.
In addition, the femtocell manufacturer provided critical information such as cell IDs, certificates, and KT server IP addresses to subcontractors without a security management system. The investigation also found that KT did not block abnormal IPs, such as those from other companies or overseas, when femtocells authenticated with the KT network.
The scale of small-amount payment damages is expected to increase. The investigation team plans to announce the final damage figures after verifying the analysis method for victims and checking for any unaccounted victims, in addition to the currently identified 368 victims and a total loss of 243.19 million won.
The Ministry of Science and ICT has decided to consider suspending business operations if a supply crisis similar to the one during the SKT incident occurs during the KT USIM replacement process. For regional subscribers who suffered direct small-amount payment damages, administrative guidance will be provided to ensure they are fully informed about the replacement process.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
