- Authentication management vulnerabilities were found in the process of connecting small base stations (femtocells) to KT’s network.

- The Investigation Team concluded that end-to-end encryption between the device and the core network had been disabled, allowing illegal small base stations (illegal femtocells) to obtain plaintext authentication information (Automated Response System [ARS], Short Message Service [SMS]).

- KT discovered 43 servers infected with malware such as BPFDoor between March and July 2024 but did not report them to the government.

- KT delayed reporting both the unauthorized small payment and the intrusion detected during the external security inspection.

The Joint Public-Private Investigation Team (hereinafter referred to as the “Investigation Team”) announced the interim findings of its investigation into the KT network intrusion incident on November 6.

On September 8, KT reported a security breach to the Korea Internet & Security Agency (KISA) after discovering that an unregistered illegal device had accessed its internal network while analyzing call histories of small-payment fraud victims. Given the seriousness of the incident involving financial damages and the need for in-depth analysis of the attack methods, the Ministry of Science and ICT (MSIT) established and has been operating the Investigation Team since September 9.

The Investigation Team has been analyzing three major cases:
Small payment fraud and personal data leakage through illegal small base stations (illegal femtocells);
Leakage of KT authentication certificates allegedly by a state-backed organization (as detailed in the Phrack Magazine report dated August 8, 2025);
Server intrusion detected during KT’s third-party security inspection.



※ Please refer to the attached files.