[Public-Private Joint Investigation Team – Summary of Findings]

Methodology: Given intense public concern and the stealthy nature of the malware, all 42,605 SK Telecom (SKT) servers were scanned for BPFDoor and other malicious code.

Infection status: 28 servers were infected; 33 malware strains were identified and removed (27 BPFDoor, 3 TinyShell, 1 WebShell, 2 open-source C2 frameworks—CrossC2 and Sliver).

Data exfiltrated: 25 categories of USIM data (9.82 GB; roughly 26.96 million IMSI records) were leaked.

Root causes: Poor credential management, inadequate response to a February 2022 breach, and failure to encrypt critical data.

Recurrence-prevention: Mandatory strengthening of password controls, encryption of key data, CEO-level security governance, and an increase in security staffing and budget.

Determination on the Early-Termination Penalty Waiver:
-Negligence confirmed – SK Telecom failed to fulfil its duty of care to protect USIM data and did not comply with relevant regulations.
-Principal duty breached – Because the leaked USIM data can enable SIM-cloning and call/message interception, the company did not deliver the secure telecom service required under the contract.
-Waiver therefore applies – In light of both negligence and breach of a major obligation, Article 43 (Waiver of Early‑Termination Penalty) of the company’s Terms & Conditions can be invoked by subscribers affected by this incident.

The Ministry of Science and ICT (Minister Yoo Sang-im, hereafter “MSIT”) today announced the final results of the Public-Private Joint Investigation Team (hereafter “Team”) investigation into April’s SK Telecom (SKT) cybersecurity breach, together with MSIT’s legal determination on whether SKT’s early-termination fee waiver clause applies.

I. SK Telecom Cybersecurity Breach: Cause Analysis and Recurrence-Prevention Plan

Background

At 11:20 p.m. on April 18, 2025, SK Telecom detected abnormally large outbound traffic. The company notified the Korea Internet & Security Agency (KISA) at 4:46 p.m. on April 20, thereby exceeding the 24‑hour statutory reporting window set by the Act on Promotion of Information and Communications Network Utilization and Information Protection ("Network Act"), which allows fines of up to KRW 30 million for late reporting. Recognizing the gravity of the USIM-data leak, the Ministry of Science and ICT (MSIT) established a Public‑Private Joint Investigation Team (“the Team”) on April 23, 2025 to determine the scope, cause and impact of the breach.

1. Methodology

Because the incident involved the nation’s largest mobile carrier, featured highly stealthy BPFDoor malware, and exposed subscribers to SIM‑cloning risk, the Team conducted a full forensic inspection of all 42,605 servers operated by SKT between April 23 and June 27. Compromised servers then underwent in‑depth analysis to verify any data exfiltration.


※ Please refer to the attached files.