Latest news with #IMSI
![[Editorial] Hole in cybersecurity](/_next/image?url=https%3A%2F%2Fall-logos-bucket.s3.amazonaws.com%2Fkoreaherald.com.png&w=48&q=75){kind=small}
Korea Herald
21-05-2025
- Korea Herald
[Editorial] Hole in cybersecurity
SK Telecom breach dates back 3 years; Malware indicates China-based hacking The nation was jolted by interim probe findings that personal information and universal subscriber identity module or USIM data of practically all subscribers of SK Telecom may have been leaked by hackers. The cyberattack dated back about three years and turned out to be much more extensive than revealed in the initial briefing, according to the second briefing Monday by a joint investigation team of the Ministry of Science and ICT and the Korea Internet & Security Agency. SK Telecom discovered the breach about a month ago, on April 18. Leaked USIM data amounted to 9.82 gigabytes. which equates to roughly 26.9 million units of international mobile subscriber identity or IMSI numbers. This means that the USIM data of practically all SK Telecom subscribers has been leaked. Currently, it has 25 million subscribers, including 2 million budget phone users. A total of 23 SK Telecom servers were found to be compromised by malware, up from the five disclosed in the previous briefing held on April 29. The number of malware variants found to have infected the servers increased from four to 25. Among the affected servers, two had been used as temporary storage for personal data, such as names, birthdates, phone numbers and email addresses, as well as data on international mobile equipment identity or IMEI, a serial number assigned to every mobile phone. The possibility of financial fraud and other forms of secondary damage from copy phones has gone up. Investigators found that hackers planted malware on June 15, 2022. It is shocking that not only the telecom carrier but also the government and private cybersecurity firms had remained in the dark about the malware's infiltration for about three years. There is another problem. How much damage the cyberattack will cause down the road is anyone's guess. SK Telecom reportedly keeps log data for the last four or five months. So, no log data is available for the period from June 15, 2022, when malware was first planted, to Dec. 2, 2024. Fortunately, no evidence was found showing any data leakage between Dec. 3, last year and April 24 of this year, but investigators could not confirm whether any leaks occurred during the period for which log data is not available. It is worth noting that 24 of the 25 malware variants detected this time were found to be BPFDoor, a backdoor reportedly used by China-based hackers to attack Middle Eastern and Asian telecom companies in recent years. Experts warn that this malware could be used for a cyberattack on the communication infrastructure of a country. Given that data on all SK Telecom subscribers may have been leaked for as long as three years, the breach is not likely to emerge as a simple hacking case. It is uncertain whether the incident was an organized cyberattack to cripple the communication system of a country rather than an attempt to steal money. Considering the cyber intrusion was not detected for so long, anybody can guess a similar thing may be happening at other communication networks or major institutions. Communication infrastructure is one of the cruxes of state administration. Cyberattacks could paralyze it secretly, plunging a nation into chaos. The SK Telecom breach reconfirms how vulnerable South Korea has become to such vital attacks. SK Telecom bears the primary responsibility for protecting its system from hacks, but the government needs to check the nation's cybersecurity this time. Also, the National Assembly should do its part to help telecom carriers fend off cyber infiltrations from abroad. One of the laws that it needs to revise is its espionage law, which only punishes spying activities done for North Korea. Recently, two Chinese nationals were caught photographing fighter jets near air bases in South Korea but released after telling police that photographing was their hobby. Police say there was no evidence that they did so for North Korea. China or the US would likely respond quite differently. For a nation to keep its sovereignty, security must be tight, cyber or not.
Korea Herald
19-05-2025
- Korea Herald
Nearly 27 million mobile fingerprints leaked in SK Telecom data breach: ministry
Malware attack began in June 2022, officials say A joint team of public and private investigators found that nearly 27 million units of international mobile subscriber identity, or IMSI, have been leaked from SK Telecom's data breach, the Ministry of Science and ICT said Monday. 'The investigators confirmed that the amount of leaked (universal subscriber identity module, or USIM) information was 9.82 (gigabytes), which equals to about 26.69 million units of the IMSI,' said Choi Woo-hyuk, director general of the Cyber Security & Network Policy Bureau at the Science Ministry, in a press briefing to announce the interim findings of the probe at the Government Complex Seoul. IMSI, which can be regarded as a mobile fingerprint, is a 15-digit or shorter number used to identify and authenticate each mobile subscriber on a cellular network. As for SK Telecom's 25 million subscribers being smaller than the number of leaked IMSIs, the officials explained that the number of IMSIs combines all universal subscriber identity modules, or USIMs, loaded onto not only smartphones but also smart watches and other connected devices using the Internet. The authorities announced that they found 25 types of malware and 23 hacked servers so far, up 21 and 18, respectively, from the previous discoveries released by the joint investigation on April 29. Having completed the investigation of 15 servers through detailed assessments, such as forensic and log analysis, the authorities plan to finish the investigation of the remaining eight servers by the end of May. According to the investigators, the first malware was found to have been installed on June 15, 2022. They added that no data was leaked between Dec. 2, 2024, and April 24, 2025. However, they could not confirm whether any data was leaked between June 15, 2022, and Dec. 2, 2024, a period without firewall log history. Regarding the concerns over possible damages from copy phones, whether the information of international mobile equipment identity, or IMEI, a 15-digit serial number assigned to every mobile phone, was leaked or not drew serious worries among the public. Unlike the government's previous announcement in April, the authorities confirmed during Monday's briefing that they found a hacked server containing 291,831 units of IMEI. According to investigators, there were no damage reports regarding the data breach at the country's biggest telecom carrier yet. They added that phone makers say making copy phones just using the IMEI information is technically impossible. 'Given the types of malware and the methods used in this attack, it is clear that a far more sophisticated level of analysis and efforts are needed compared to what we've seen before,' said Ryu Je-myung, deputy minister of the Office of Network Policy. "That is why we are conducting this investigation with the utmost intensity, based on the judgment that unless we uncover every potential risk thoroughly, there could be even greater threats in the future."
Korea Herald
19-05-2025
- Business
- Korea Herald
Probe suggests possible leak of SK Telecom users' private info from cyberattack
Servers at SK Telecom Co. containing personal information and universal subscriber identity module data of all subscribers have been compromised in a cyberattack, raising concerns that critical USIM data used in financial transactions may have been leaked, a joint government-private investigation team said Monday. According to the team's interim findings, the breach dates back to June 15, 2022, when unidentified attackers are believed to have planted malware on the company's servers. A total of 23 SK Telecom servers were compromised, all of which store four types of USIM data, including international mobile subscriber identity information. The IMSI is a unique identifier for each user on a network and could potentially be exploited in financial transactions. Among the affected servers, two had been used as temporary storage for personal data, such as names, birthdays, phone numbers and email addresses. Investigators said they are still working to determine the exact scope of data stored on those two servers. SK Telecom detected the breach April 18. (Yonhap)
Korea Herald
04-05-2025
- Korea Herald
What SK Telecom USIM leak means for you
SK Telecom, South Korea's largest telecommunications provider, confirmed last week that its internal systems were breached in a hacking attack, raising concerns over a possible data leak involving universal subscriber identity module (USIM) cards. As public anxiety continues to grow, the company has rolled out a three-tier protection plan that includes an upgraded fraud detection system, its existing USIM protection service and free USIM card replacements upon request. Since the free replacement program began Monday, approximately 705,000 users — just 2.8 percent of SK Telecom's subscriber base — have replaced their USIM cards, with progress reportedly slowed by limited inventory. Despite these protective measures, customer trust appears to be eroding. On Tuesday alone, 35,902 subscribers switched to rival carriers, following 34,132 the previous day. About 60 percent moved to KT Corp., with most of the rest opting for LG Uplus. To help consumers better understand the situation, The Korea Herald answers key questions surrounding the recent USIM data leak. Q. What is a USIM? A universal subscriber identity module is a smart card that stores subscriber information to authenticate users on mobile networks. It contains data such as the subscriber's phone number and international mobile subscriber identity (IMSI), but does not contain personal information like their name, resident registration number, or address. Q. What USIM information was leaked in the recent security incident? According to the Ministry of Science and ICT's preliminary findings on Tuesday, subscriber phone numbers and IMSI data were leaked. However, international mobile equipment identity (IMEI) numbers, the 15-digit serial numbers that uniquely identify a mobile device, like a smartphone or tablet, were not compromised. The ministry said that users subscribed to SK Telecom's USIM protection service are safeguarded from illegal USIM cloning and unauthorized use, commonly known as SIM swapping. Q. What protective measures is SK Telecom taking for customers? SK Telecom has implemented a three-layered protection system: an enhanced fraud detection system to block suspicious authentication attempts, a USIM protection service and free USIM card replacement upon request. Q. What is the fraud detection system? The FDS monitors real-time network activity and blocks abnormal authentication attempts. For instance, if a subscriber is located in Seoul but a login is attempted from Busan, the system identifies it as suspicious and denies access. SK Telecom has upgraded this system to its highest security level in response to the breach. Q. What is the USIM protection service? This service binds a USIM card to a specific mobile device, preventing it from being used if cloned and inserted into another device. Even if a USIM is illegally copied, it cannot function unless it is paired with the original device. Q. Do customers using the USIM protection service still need to replace their USIM cards? The USIM protection service offers equivalent security to USIM replacement. However, SK Telecom provides free USIM replacement for customers seeking additional protection. Users will need to reinstall any data stored on the USIM, such as digital certificates. Q. What is the newly proposed 'USIM formatting' method? The so-called 'USIM format' is a software-based method currently being developed by SK Telecom. It aims to provide the same security as replacing the physical USIM card but with less inconvenience. Instead of swapping hardware, the USIM's internal software will be reconfigured. While users still need to visit a service center, the process is expected to be quicker and more user-friendly. The service is planned for rollout in May. Q. Can financial assets be stolen using leaked USIM information? No. Even if a USIM is cloned using the leaked data, it cannot connect to SK Telecom's network without passing through security systems like the FDS. Furthermore, financial theft requires additional personal information, such as passwords or identity verification. No related financial crimes have been reported to date. Q. If a USIM is cloned, are contacts, messages or apps also copied? No. The leaked data only includes identification information stored on the USIM. Personal content such as contacts, messages and apps is not related to the incident. Q. Does setting a USIM PIN help in this case? A USIM PIN locks the USIM to prevent unauthorized use if physically stolen, but it is not directly related to the recent data leak. Q. Can someone use services like calls or texts on a cloned phone without the owner knowing? No. Only one line per phone number can access the network at any given time. SK Telecom's FDS and USIM protection service are designed to prevent unauthorized access. Customers are strongly encouraged to enroll in the USIM protection service. Q. Is the Pass app's identity theft protection enough to replace the USIM protection service? No. Personal smartphone authentication app Pass app prevents identity theft by blocking unauthorized phone account registrations using stolen personal data. It does not protect against USIM cloning. Therefore, the USIM protection service is still necessary.
Epoch Times
01-05-2025
- Politics
- Epoch Times
Chinese National Arrested Near Philippine Election Commission With Alleged Spy Device
A Chinese national has been arrested by the Philippine equivalent of the FBI on suspicion of spying after allegedly being found with an electronic eavesdropping device in the trunk of his car. The man, identified as 47-year-old Lao Tak-Hoi, was allegedly in a gray Mitsubishi Adventure parked outside the Philippine Commission on Elections (Comelec) headquarters in Intramuros, Manila, when he was arrested by the National Bureau of Investigation (NBI) on April 29. The incident follows a recent Senate inquiry that warned of efforts by China to influence democratic processes in the Philippines amid the Chinese communist regime's aggressive island-grabbing in the disputed South China Sea. The Philippines is scheduled to vote on May 12 in its midterm elections. The man arrested was in possession of an international mobile subscriber identity (IMSI) catcher, the NBI said. The spy device, which can mimic a cell tower, is capable of intercepting mobile calls, text messages, and location data within a signal range of one to three kilometers (about half a mile to two miles). Footage of the arrest showed the alleged surveillance device in the trunk of Lao's car. State media reports said the device was being cooled by a makeshift fan to prevent it from overheating during use. Related Stories 4/28/2025 4/23/2025 NBI spokesperson Ferdinand Lavin told local media that upon investigation, it was determined that the device had been brought into the Philippines as separate parts and assembled in the country. 'This is dangerous. This is dangerous to our national security matters,' the spokesperson said, adding that there are concerns the suspect was using the IMSI device to target the Comelec. 'That's a possibility. We're not saying that's it, but that's a possibility. Why would you go to our areas in Intramuros, especially the Comelec? We were alarmed because he approached such a sensitive government facility.' He added that the NBI had surveillance footage of Lao and another Chinese man arranging suspected espionage equipment near the Comelec premises over the weekend. NBI director Jaime Santiago said that his officers had been tracking Lao for four days before the April 29 arrest. They had observed him roaming the cities of Makati and Taguig in the rented vehicle. The NBI approached him after observing that Lao was making several rounds around the Comelec area in his vehicle. Lavin said that there have been other instances of arrests of Chinese nationals using IMSI catchers. Authorities on Feb. 25 The NBI said that an investigation uncovered information that allegedly proved the Chinese were spying. The Filipino accomplices told investigators they visited the palace, Camp Aguinaldo, Camp Crame, Villamor Airbase, and the U.S. Embassy. Chinese nationals (background R) and their alleged Filipino accomplices (L), arrested for alleged espionage, are escorted out of a room by National Bureau of Investigation (NBI) agents after a press conference at the NBI office in Manila, Philippines, on Feb. 25, 2025. Ted Aljibe/AFP via Getty Images Philippine Senate Majority Leader Francis Tolentino said the new arrest validates warnings from authorities over threats of foreign interference in the upcoming elections. He said the IMSI was direct evidence of China's covert operations in the Philippines. 'The arrest reinforces what we revealed [in the Senate report]: that there is an active attempt to undermine our elections,' he said. He thanked the NBI for its 'timely and critical action' to thwart Beijing's 'insidious plan' to advance its agenda. Authorities charged Lao on April 30 with violations under the Cybercrime Prevention Act of 2012, the Data Privacy Act, and the Espionage Act. 'The equipment seized will undergo cyber forensic laboratory examination and data analytics to determine its intended use,' Lavin said. The Philippine Department of Justice said that whether Lao can be released on bail will be up to the immigration department, as he is a foreigner. He is also charged with violating Philippine immigration laws. Palace press officer Claire Castro said it was alarming to know a China-linked spy device was being operated near the Comelec headquarters. 'It's quite alarming ... the president has this trust in the intelligence agents that lead the operation,' Castro told reporters at a briefing. 'We will just have to wait for the final investigation on that matter.' Lao told reporters in broken English at the scene of his arrest that he was a tourist and did not own the vehicle. He told NBI officers that he was 'roaming around to take pictures,' NBI Director Jaime Santiago said on local radio True FM. 'Why is he obtaining data and images? His alibi that he is just a tourist is unbelievable,' he said. Santiago added that Lao was allegedly accompanied by a local driver whom he was paying 8,000 Philippine pesos ($150) a day for the service. Lao arrived in the Philippines on April 25 on a passport issued by Macao, which grants holders short stays without the need to apply for a tourist visa. It was his first visit to the country, local media reported, citing Bureau of Immigration records. Comelec Chairman George Erwin Garcia said that tests showed 'nothing was compromised on any of our system[s],' and that election data was not stored in the headquarters. 'What would be their purpose in doing that? Is it to enhance their mind conditioning efforts? We want to know that,' he said. National Bureau of Investigation (NBI) chief Jaime Santiago with a confiscated vehicle containing equipment during a press presentation at the NBI office in Manila on Feb. 25, 2025. Ted Aljibe/AFP via Getty Images Chinese Espionage Tolentino has called for the Philippine Department of Foreign Affairs to summon Chinese Ambassador Huang Xilian to address the alleged acts of espionage by Chinese tourists. Philippine Sen. Risa Hontiveros said, 'If it's proven that this Chinese national is a spy, this will have serious implications for our already-fraught relationship with Beijing.' Just days earlier, Tolentino and Philippine National Security Council spokesperson Jonathan Malaya reported that officials had also uncovered evidence of a social media 'troll farm' operation paid for with a check linked to the Chinese Embassy in Manila with the intent to influence the May midterm polls to shape public opinion ahead of the election. The Chinese Embassy denounced the claims on April 30 and accused certain Philippine politicians of playing the 'China card' to boost their election chances. Just days earlier, the Chinese coast guard unfurled a Chinese flag on a sandbar within a few miles of a Philippine-occupied island with a military base. After the Philippines responded with its own landing, China claimed that the island was part of its sovereign territory. Navy spokesperson for the West Philippine Sea, Rear Adm. Roy Vincent Trinidad, said the Chinese state media reports on April 26 about the The NBI revealed on April 29 that it had subpoenaed a Makati-based firm allegedly paid by the Chinese Embassy to gather an army of 'keyboard warriors' to promote a Chinese Communist Party disinformation campaign on social media ahead of the Philippines' midterm elections. The bureau said in a statement that it would remain apolitical as it investigates the alleged election interference. Disinformation Campaigns The NBI has Santiago called on the public not to spread the intentionally concocted 'rage bait' that stirs anger to draw engagement, which increases the reach of such content on social media. 'People should be aware of what a rage bait is,' he said. 'When we encounter these posts, one should try to relax and calm down before engaging with it. This allows us to think before we act and avoid promoting this on social media algorithm.' Santiago urged people to determine trustworthy parties for accurate information and the importance of distinguishing false from factual information. Amid the warnings, the Lakas-Christian Muslim Democrats party asked the NBI to investigate the source of an allegedly fake document linking House Majority Leader Manuel Jose Dalipe to a fabricated plot to politically undermine members of the Duterte family. The document, which the group says contained a forged signature, was published in The Manila Times. It spread widely on social media on April 30, causing 'significant reputational damage,' according to Lakas Director Anna Capella Velasco. The party urged the NBI to request digital tracing information from social media platforms. 'We urge the NBI to treat this matter with the utmost urgency,' Velasco said. She warned the political hoax could erode trust in the Philippines' democratic institutions just days ahead of the May 12 midterm election. Philippine national security adviser Eduardo Año on April 30 also warned Philippine nationals that a document alleging that the United States wants the Philippine government to prioritize the impeachment of Philippine Vice President Sara Duterte was fabricated. 'That is totally fake news and fabrication. There is no such document existing in our records and even in the office of the Executive Secretary,' he told GMA News Online. The United States has a 1951 mutual defense treaty with the Philippines and is engaged in a struggle with the Chinese Communist Party (CCP) for public and political support in the region. Since Marcos took office, tensions have further escalated in the South China Sea, with the Philippines
