Joint Public-Private Investigation Team Announces Final Findings on the 29th
Illegal Femtocell Access to Internal Network... Interception of ARS and SMS Authentication Data
Four Out of Five Legal Advisors: "KT Violated Its Primary Contractual Obliga
Regarding KT's femtocell hacking incident, the government has officially determined that users may be exempt from penalty fees. This decision is based on the confirmation of structural management failures that allowed illegal femtocell access, as well as legal counsel indicating that KT violated its primary contractual obligation to provide secure telecommunications services.
On December 29, the Ministry of Science and ICT announced the final findings of the joint public-private investigation team into the KT security breach. The ministry stated that the incident falls under “company responsibility” as defined in KT’s terms and conditions, making the penalty fee exemption clause applicable.
The investigation team inspected approximately 33,000 KT servers for malware infection over six rounds. For servers found to be infected, forensic and detailed analyses were conducted to determine whether any information leaks or other damages had occurred.
The team also re-verified the calculation method and possible omissions in the damage scale announced by KT on October 17 of the previous year. It confirmed that, due to illegal femtocell use, the subscriber identification numbers (IMSI), device identification numbers (IMEI), and phone numbers of 22,227 users were leaked. Additionally, 368 users (777 cases) suffered unauthorized small-amount payments totaling 243 million won. These figures matched KT’s own calculations. However, the team noted that it could not confirm additional damages for the period before July 31, 2024, as no telecommunications payment data remained for that time.
The root cause analysis revealed a structural vulnerability that allowed illegal femtocells to access KT’s internal network. Forensic analysis of the illegal femtocells seized by the police found that the devices contained the certificates and server IP information required to access the KT network, as well as functions enabling the transmission of communication traffic to third-party locations.
The attacker copied KT’s femtocell certificates and server IP information to access the internal network, then activated the illegal femtocell’s signal to forcibly connect user devices-originally linked to legitimate base stations-to the illegal femtocell. Through this, the attacker stole victims’ phone numbers, IMSI, and IMEI, then combined this data with personal information obtained through unknown means to select targets. The attacker then intercepted ARS and SMS authentication information on gift card purchase sites to make unauthorized small-amount payments.
The investigation team concluded that KT’s overall information security system was flawed. There were no security policies for certificates, server IPs, or cell IDs during the manufacturing and introduction stages of femtocells, and the system for detecting and blocking illegal femtocell access was inadequate.
Accordingly, the team demanded that KT implement technical and managerial measures to prevent recurrence, including: implementing femtocell secure boot functionality; periodically changing and strictly managing authentication server IPs; strengthening abnormal traffic monitoring; and collaborating with white-hat hackers to identify vulnerabilities. The team also instructed KT to ensure end-to-end encryption (IPSec) from user devices to the core network is never disabled, and to establish a continuous monitoring system for abnormal signaling traffic.
Furthermore, the team required KT to install security equipment such as firewalls in the femtocell authentication and registration system, retain operational system logs for at least one year, and establish a centralized log management system. In terms of information security governance, the team called for organizational restructuring so that the Chief Information Security Officer (CISO) can oversee company-wide security policies and for the establishment of mid- to long-term security plans. To strengthen company-wide asset management, the measures also included appointing a Chief Information Officer (CIO), introducing asset management solutions, and establishing security management across the entire femtocell supply chain.
Legal violations were also identified. KT detected signs of unauthorized small-amount payments on September 5 but did not report the security breach until September 8, and reporting was further delayed even after traces of compromise were found by an external security firm. The team also confirmed that KT failed to report the discovery of malware such as BPFdoor in 2024. As a result, the government plans to impose a fine of up to 30 million won under the Information and Communications Network Act.
Based on these findings, the Ministry of Science and ICT sought opinions from five legal advisory institutions on the applicability of the penalty fee exemption clause. Four out of five concluded that KT’s poor femtocell management constituted a violation of its primary contractual obligation to provide secure telecommunications services, and thus the penalty fee exemption clause could be applied.
The Ministry stated, “Given that illegal femtocells could access KT’s internal network at any time and even disable end-to-end encryption, the risk was not limited to a few victims but exposed all KT users. Therefore, this breach constitutes a company responsibility under KT’s terms and conditions, requiring penalty fee exemptions for all users.”
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
