Press Releases

Ministry of Science and ICT

May 30,2025

- Conducted four rounds of intensive inspections for BPFDoor malware infections (To date, 23 infected servers and 25 malware variants identified and addressed)

- Initiated comprehensive inspection of all servers for BPFDoor and other malware infections

- Confirmed infection of two servers temporarily storing personal data



The Public-Private Joint Investigation Team (hereinafter referred to as "the Team") investigating the SK Telecom (SKT) cybersecurity incident released its second report on May 19, following the initial findings announced on April 29.

· Investigated five servers showing signs of compromise; confirmed leakage of 25 types of data, including USIM information (phone numbers, International Mobile Subscriber Identity [IMSI], etc.)
· Identified four variants of BPFDoor malware; shared information with relevant institutions and companies to prevent further spread
· Confirmed no leakage of International Mobile Equipment Identity (IMEI) numbers

Aiming to complete a thorough inspection of all SKT server systems by the end of June, the Team is conducting the investigation in two phases:
· Phase 1: Focused inspection of Linux servers for initial BPFDoor infections
· Phase 2: Expanded inspection of all servers, including Windows systems, for BPFDoor and other malware infections

As of May 19, the Team has completed four rounds of inspections under Phase 1.*
*Inspection Timeline:
· 1st Round: April 19–24
· 2nd Round: April 23–30
· 3rd Round: May 3–8
· 4th Round: May 8–14

During these inspections, the Team identified infections in 23 servers, completed forensic analysis on 15 of them, and is currently analyzing the remaining 8 servers. To date, a total of 25 distinct malware strains have been discovered and addressed, including 24 variants from the BPFDoor family and one web shell. Additionally, a fifth round of inspections is currently underway to detect and eliminate any remaining or additional threats.

Scope of Server Inspections by Phase:
PhasePeriodFocus
Phase 1From Apr. 19 to May 14, 2025Detection of BPFDoor malware in approx. 30,000 Linux servers
Phase 2From May 14 to end of June 2025Detection of BPFDoor and other malware (e.g., via antivirus, EDR), including Windows and other servers

Malware and Infected Servers Identified:
ClassificationFirst Report (Apr 29)Second Report (May 19)Total
Malware4 variants21 variants25 variants
Infected Servers*5 servers18 servers23 servers
*Forensic analysis completed on 15 servers; analysis ongoing for 8 servers.

The Team conducted four intensive inspections of approximately 30,000 Linux servers operated by SKT. These inspections aimed to determine whether other servers were compromised, considering the stealthy nature and deep infiltration capabilities of BPFDoor malware. Notably, the fourth inspection utilized tools capable of detecting all 202 known BPFDoor variants.

The first three inspections involved SKT's self-assessment, which the Team then verified. The fourth inspection was directly conducted by the Team, with support from the Korea Internet & Security Agency (KISA).

The Team confirmed that the leaked USIM data amounted to 9.82 GB, encompassing 26,957,749 IMSI records.

Beyond the four BPFDoor variants reported on April 25 and the eight variants reported on May 3, the Team identified an additional 12 BPFDoor variants and one web shell variant.

To prevent further spread, the Team disseminated information about the malware characteristics in the first (April 25) and second (May 3) notices. In the third notice (May 12), it shared instructions for developing a detection tool capable of identifying all known BPFDoor variants with 6,110 government agencies, public institutions, and companies.

Meanwhile, the Ministry of Science and ICT (MSIT) has been proactively responding to potential similar incidents in other telecommunications and major online platform companies since the early stages of the incident. On May 3, the Minister met with the Chief Security Officers of the three major telecom companies and four major platform companies to assess the current security situation and emphasize the importance of thorough inspections and responses.

Additionally, MSIT has been operating a dedicated task force for security inspections of telecommunications and online platform companies since May 12, conducting daily or weekly inspections of other telecom companies and the four major platform companies. Concurrently, central administrative agencies, local governments, and public institutions are undergoing inspections under the supervision of the National Intelligence Service. To date, no reported damage has been identified in either the private or public sectors.

Following the first report, an additional 18 servers showing signs of compromise were identified, bringing the total to 23. Forensic analysis has been completed on 15 servers, with the remaining 8 servers scheduled for analysis by the end of May.

Among the 15 analyzed servers, two were found to temporarily store personal data. The Team conducted additional investigations on May 14 and May 18 to determine whether data leakage occurred.

These servers were linked to the integrated customer authentication system and contained temporarily stored files with IMEI numbers and various personal information (names, dates of birth, phone numbers, email addresses) used for customer authentication.

Public concern over the potential misuse of IMEI numbers—such as in phone cloning—grew rapidly in the aftermath of the breach. In response to these concerns, the Team prioritized inspection of 38 servers known to store IMEI data and confirmed that none of them were infected, as announced in its first report. However, during subsequent forensic analysis, it was discovered that some infected servers—linked to SKT’s integrated customer authentication system—had temporarily stored files containing IMEI numbers. This indicated that IMEI data had, at some point, resided on compromised systems, albeit indirectly.

The Team confirmed that a total of 291,831 IMEI records were contained in the files stored on the affected servers. Following two rounds of in-depth analysis, the Team verified that no data leakage occurred during the period for which firewall access logs are available (December 3, 2024 – April 24, 2025). However, since no logs exist for the earlier period—from June 15, 2022 to December 2, 2024—it has not been possible to determine whether any leakage occurred during that time.

Upon identifying the servers storing personal data on May 11, the Team immediately instructed SKT to verify the possibility of data leakage and implement preventive measures to protect customers, even before the completion of forensic analysis.

Furthermore, recognizing the need for a detailed investigation into personal data, the Team notified the Personal Information Protection Commission (PIPC) on May 13 and, with SKT's consent, shared the server data obtained during the investigation with PIPC on May 16.

The Team will continue to transparently disclose any findings that may pose risks to the public and will ensure that SKT takes prompt and appropriate action to minimize potential harm. In parallel, the government will actively devise and implement countermeasures at the national level to respond to and prevent such cybersecurity incidents.

For further information, please contact the Public Relations Division (Phone: +82-44-202-4034, E-mail: msitmedia@korea.kr) of the Ministry of Science and ICT.


※ Please refer to the attached PDF.

Attached File

List

Most popular

  1. Monthly Industrial Statistics, April 2025
  2. Korea to Build Its 6th National Supercomputer in Partnership with HPE
  3. Tracing History, Shaping the Future: Launch of Overseas Memorial Site Expedition for the 80th Anniversary of Liberation
  4. Korea’s exports decline 1.3% in May
  5. Korean War Hero of June 2025: Korea Military Academy Cadets Who Defended the Nation with Their Youth and Valor