How could one of South Korea’s largest telecommunications companies remain unaware of a sophisticated cyberattack for nearly three years? The SK Telecom breach, identified on April 19, 2025, exposed the vulnerabilities of even major telecommunications infrastructure, compromising 26.96 million international mobile subscriber identity units and leaking 9.82 gigabytes of USIM information.
The attack’s sophistication became evident through forensic analysis, which revealed 25 different types of malware deployed across the network. Investigators confirmed that 23 servers were compromised, with detailed assessments completed on 15 servers through forensic and log analysis. The remaining eight servers required investigation through the end of May 2025, according to officials from the Ministry of Science and ICT.
Timeline evidence demonstrates the attack’s prolonged nature, beginning in June 2022 with the first malicious payload deployment. Data leakage occurred from June 15, 2022, to December 2, 2024, though missing firewall logs created uncertainty about the full scope during this period. Officials confirmed no data exposure occurred from December 2, 2024, to April 24, 2025.
The cyberattack persisted for over two years, with continuous data extraction spanning from June 2022 through December 2024.
The breach affected more records than SK Telecom’s 25 million subscribers as multiple devices per user contributed to the count, including smartphones, smart watches, and other connected devices. IMSI numbers function as “mobile fingerprints” for cellular network authentication, making their compromise particularly significant for network security. Separately, investigators discovered that one hacked server contained 291,831 IMEI units, raising additional concerns about potential device cloning risks.
Choi Woo-hyuk, director general of the Cyber Security & Network Policy Bureau, led the press briefing announcing interim findings at the Government Complex Seoul. Network Policy Deputy Minister Ryu Je-myung acknowledged that “far more sophisticated level of analysis and efforts are needed” following the investigation’s revelations.
SK Telecom implemented extensive response measures, including elevating its Fraud Detection System to maximum operational levels and launching a “SIM Reset” solution to prevent cloning. The company temporarily suspended new subscriber recruitment and number porting services at over 2,600 T World stores, focusing resources on SIM replacement services. Crucially, investigators confirmed that no IMEI numbers were compromised during the breach, limiting potential device-level security risks.
Customers enrolled in USIM Protection Service remained safeguarded against SIM swapping attacks, demonstrating the effectiveness of proactive security measures during widespread telecommunications breaches.
