What Happened
On April 18, 2025, SK Telecom, South Korea’s largest mobile carrier with approximately 25-27 million subscribers, detected a cyberattack that compromised USIM (Universal Subscriber Identity Module) authentication data. SK Telecom CEO Ryu Young-sang called it “the worst hacking incident in the history of the telecommunications industry.”
The breach affected virtually the entire subscriber base, as attackers exfiltrated 9.7 GB of sensitive data including the authentication keys used to validate SIM cards on the network. This data could potentially be used to clone SIM cards, enabling attackers to intercept calls and messages or commit identity fraud.
How They Got In
Security researchers identified the malware used in the attack as BPFDoor, a sophisticated Linux backdoor that uses Berkeley Packet Filter technology to evade detection. BPFDoor operates passively, listening for specific network packets that activate its command-and-control functions, making it extremely difficult to detect with traditional security tools.
Initial access may have been gained through vulnerabilities in Ivanti VPN appliances, which were heavily exploited throughout 2024 and 2025. SK Telecom has not publicly confirmed the specific initial access vector.
The attackers maintained access long enough to identify and exfiltrate the highly sensitive USIM authentication data from SK Telecom’s core infrastructure.
Data Exposed
The compromised data included USIM authentication keys that validate subscriber SIM cards on the network. Phone numbers and subscriber identities were exposed. Network authentication data could potentially enable SIM cloning attacks. The data affected nearly all of SK Telecom’s 25-27 million subscribers.
The exposure of USIM authentication data represented a particularly severe breach because this information enables SIM swapping attacks without social engineering the carrier, a significant escalation in attack capability.
Response and Remediation
SK Telecom offered free SIM card replacements to all affected subscribers. The cost of the replacement program reached approximately $122.9 million (170 billion Korean won), not including other incident response costs.
The company implemented additional security measures for its USIM authentication systems and enhanced monitoring for SIM cloning attempts. South Korean regulators launched an investigation into SK Telecom’s security practices.
Subscriber and Regulatory Fallout
Approximately 250,000 subscribers switched to competing carriers following the breach disclosure, representing significant customer attrition. SK Telecom faced government fines and regulatory sanctions for inadequate security controls.
The breach prompted broader examination of telecom security practices in South Korea. Regulators issued new guidance on protecting subscriber authentication infrastructure, and competing carriers reviewed their own security postures.
BPFDoor Malware
BPFDoor is a passive backdoor that has been active since at least 2017, attributed to a China-linked threat actor. The malware uses BPF (Berkeley Packet Filter) to monitor network traffic for magic packets that activate its functionality.
Key characteristics include its ability to operate without opening listening ports, making it invisible to standard port scans. It can be activated by specific trigger packets from anywhere on the internet. The malware supports multiple protocols and can hide its presence from process listings.
BPFDoor has been used in attacks against telecom, government, and logistics organizations across Asia and the Middle East.
Lessons Learned
The SK Telecom breach demonstrated that even core telecom infrastructure can be compromised by sophisticated attackers. USIM authentication systems require enhanced protection and monitoring. Passive backdoors like BPFDoor require advanced detection capabilities beyond traditional security tools. Telecom operators should assume nation-state level threats and implement defense-in-depth accordingly.
The breach highlighted the cascading impact of telecom compromises, as SIM authentication data affects the security of every service that relies on phone-based authentication or SMS-based two-factor authentication.