Joint Public-Private Investigation Team Announces Final Findings on Breach Incidents
KT Confirms 103 Types of BPFdoor Malware, Similar to SKT
LG Uplus Under Investigation for Obstruction of Official Duties by Fraudulent Means
With KT's negligence in femtocell security management acknowledged as the cause of the breach incident, a waiver of penalty fees has been announced. The scale of the KT hacking incident was more extensive than that of SK Telecom in terms of the types and number of malware, as well as the scope of infection.
Ryu Jemyung, the 2nd Vice Minister of the Ministry of Science and ICT, is announcing the final investigation results of the KT and LG Uplus breach incidents at the Government Seoul Office on the 29th. Photo by Noh Kyungjo
The joint public-private investigation team of the Ministry of Science and ICT announced the final investigation results of the KT and LG Uplus breach incidents at the Government Seoul Office Building on December 29.
The investigation found that 103 types of malware, including BPFdoor and rootkits, were detected on 94 KT servers. The financial damage from small payment fraud was also tallied at approximately 240 million won. This is more extensive than SK Telecom, where 33 types of malware, including 27 BPFdoor variants, were found on 28 servers.
However, the visible scale of personal information leakage was greater at SK Telecom. At SK Telecom, 25 types of personal information, including the phone numbers, subscriber identification numbers (IMSI), and USIM authentication keys (Ki, OPc) of most of its over 23 million subscribers, were leaked. In contrast, at KT, the leakage was found to involve the IMSI, device identification numbers (IMEI), and phone numbers of about 22,000 people. However, the investigation team explained that KT only retains system logs for one to two months, so it was not possible to confirm whether additional data was leaked outside this period.
Authorities noted the similarity between the two incidents due to the presence of BPFdoor malware, suggesting the possibility of a common attacker. Ryu Jemyung, the 2nd Vice Minister of the Ministry of Science and ICT, stated at the briefing, "We believe there are similarities in attack patterns and internal technical analysis between the two companies, but it is difficult to definitively conclude they are the same."
Some have pointed out that hacking groups led by the Chinese government are creating and widely deploying BPFdoor malware. In response, Vice Minister Ryu said, "This is a widely held view in the global security community, but there has been no official confirmation by any national agency or certification authority," adding, "Given the timing of the attacks, it is difficult to conclude whether they were state-sponsored or occurred after the malware became open source."
As a result of the investigation, KT will be subject to a penalty fee waiver. As with SK Telecom, KT users will be able to switch carriers without penalty, regardless of their contract period. This applies to all users, even if no damage has been confirmed.
The investigation team determined that the company is responsible for the penalty fee waiver, given that KT was found negligent in this breach incident and failed to fulfill its primary contractual obligation to provide secure communication services. The terms of service specify that "if the user terminates the service due to the company's fault, the penalty fee will be waived."
Vice Minister Ryu stated, "We expect KT to reasonably determine the retroactive application period and timing in line with consumer and public expectations." He added, "Breach incidents at telecom and platform companies differ in their causes and solutions," and explained, "There has been no difference in the severity of sanctions or approaches by company."
Immediately after the government announcement, KT stated, "We solemnly accept the investigation results and will promptly announce customer compensation and information security innovation measures as soon as they are finalized."
Meanwhile, LG Uplus is under police investigation for allegedly submitting false information and destroying servers related to the breach incident. The investigation team confirmed that information connected to the integrated server access control solution (APPM) had actually been leaked, but found discrepancies between the materials provided by an anonymous whistleblower and those submitted by the company. It is also difficult to trace the laptop and network path of a partner company employee identified as the hacking vector.
The government has deemed LG Uplus's actions inappropriate and, on December 9, requested a police investigation on charges of obstruction of official duties by fraudulent means. Depending on the outcome of the investigation, additional measures such as new business restrictions and penalty fee waivers may be imposed.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
