Seoul, South Korea – South Korean telecommunications giant SK Telecom (SKT) is facing mounting scrutiny following the revelation that its servers, including one storing sensitive International Mobile Equipment Identity (IMEI) numbers, were infected with malware as far back as three years ago. The alarming discovery, made in the wake of a recent USIM (Universal Subscriber Identity Module) hacking incident, has ignited concerns over potential data breaches and the security protocols employed by the nation's leading mobile carrier.

The joint public-private investigation team probing the SK Telecom cyber intrusion unveiled the findings of its second phase of inquiry today, confirming that a total of 23 servers within SKT's infrastructure were compromised by malicious software. This marks a significant increase from the initial report on April 29th, which identified five infected servers and four distinct strains of malware. The latest investigation has unearthed an additional 18 compromised servers and 21 new types of malicious code, bringing the total count to 25 unique malware variants.

Crucially, among the infected servers, 15 have undergone thorough forensic analysis. Of particular concern is the revelation that two of these compromised servers were directly linked to SKT's integrated customer authentication system. Investigators have confirmed the presence of personally identifiable information (PII), including IMEI numbers, names, dates of birth, and phone numbers, within temporary storage files on these interconnected servers.

The inclusion of IMEI-containing servers in the list of compromised systems is a significant development from the initial investigation. While the joint team stated that firewall logs from December 3, 2024, to April 24, 2025, showed no evidence of leakage of the 291,831 IMEI records present during that period, a critical gap in log data has emerged. The initial malware infection has been traced back to June 15, 2022, approximately three years prior to the USIM hacking incident that triggered the full-scale investigation. The absence of log records between June 15, 2022, and December 2, 2024, leaves a substantial window of uncertainty regarding potential data exfiltration during that extended timeframe.

During a separate press briefing, Ryu Jeong-hwan, Head of SK Telecom's Infrastructure Network Center, attempted to assuage public concerns, stating, "Based on all the records we have been able to review so far, we believe there has been no additional leakage." However, this assertion is likely to face skepticism given the prolonged period of undetected malware presence.

SK Telecom's admission that it only became aware of the three-year-old server compromise following last month's USIM hacking incident has drawn sharp criticism regarding its internal security monitoring and incident response capabilities. The fact that such a significant breach could remain undetected for such an extended period raises serious questions about the robustness of SKT's cybersecurity defenses.

Despite the confirmation of 18 infected servers, SK Telecom and government authorities have downplayed the immediate risk of widespread cloned phone incidents. Both parties cited assurances from mobile phone manufacturers that the creation of "twin phones" solely based on IMEI numbers is not feasible, as the crucial terminal authentication keys are proprietary to the manufacturers.

SK Telecom further emphasized its existing security measures, including the "Fraud Detection System (FDS)," which monitors and blocks abnormal authentication attempts across its subscriber base, and its USIM protection service. The company is also offering USIM card replacements to concerned customers as a precautionary measure. SKT has reiterated its commitment to taking full financial responsibility for any damages arising from illegal USIM or device cloning.

The ongoing investigation has also yielded insights into the nature of the malicious software involved. In addition to the "BPFDoor" family of malware, which is reportedly favored by Chinese hacker groups, a "web shell" variant was newly identified during the expanded probe. However, both authorities and SK Telecom have refrained from directly attributing the attack to any specific actor or nation-state, citing the ongoing nature of the investigation.

Ryu Je-myung, Director General of Network Policy at the Ministry of Science and ICT (Ministry of Science and ICT), highlighted the unusual characteristics of the cyber intrusion, noting, "This hacking has a different pattern from commercial and economic-purpose data theft from specific databases and trading on the dark web, so we are closely examining the motive." This statement suggests that the attackers' objectives may extend beyond simple financial gain or data resale, potentially hinting at more sophisticated espionage or disruptive motives.

The findings of the second investigation have triggered a strong backlash from opposition lawmakers. Members of the National Assembly's Science, Technology, Information and Broadcasting Communications Committee from the Democratic Party and the Rebuilding Korea Party issued a joint statement criticizing the results. They asserted that the incident unequivocally demonstrates "SK Telecom's overall poor information security management and the government's incompetence in neglecting it," signaling a potential for further political fallout and legislative scrutiny of the telecommunications giant's security practices.

The revelation of a years-long malware intrusion into SK Telecom's systems underscores the persistent and evolving threats facing critical infrastructure in the digital age. The incident serves as a stark reminder of the importance of proactive threat detection, robust security protocols, and timely incident response capabilities for organizations handling vast amounts of sensitive user data. As the investigation continues, the focus will likely shift towards determining the full scope of any potential data breach, identifying the perpetrators, and implementing stricter regulations and oversight to prevent similar incidents in the future, ensuring the security and privacy of millions of South Korean mobile subscribers.