Full Report
South Korean mobile provider SK Telecom has announced free SIM card replacements to its 25 million mobile customers following a recent USIM data breach, but only 6 million cards are available through May. [...]
Analysis Summary
# Incident Report: SK Telecom USIM Data Breach via Malware
## Executive Summary
SK Telecom detected malware on its network that resulted in the compromise of customer USIM data, including IMSI, MSISDN, and authentication keys. The primary risk identified is potential SIM swapping attacks. In response, SK Telecom launched a free SIM replacement program for 25 million customers and enhanced its Fraud Detection System (FDS), though inventory limits replacement capacity until May 2025.
## Incident Details
- **Discovery Date:** Not explicitly stated, but the update was published "earlier today."
- **Incident Date:** Not explicitly stated when the malware began running.
- **Affected Organization:** SK Telecom
- **Sector:** Telecommunications
- **Geography:** South Korea (Inferred from company name and context)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown.
- **Vector:** Malware running on the network.
- **Details:** Malware allowed threat actors to steal customer Universal Subscriber Identity Module (USIM) data.
### Lateral Movement
- Not detailed in the provided text, but the access allowed theft of sensitive subscriber data.
### Data Exfiltration/Impact
- **What was stolen or damaged:** Customer USIM data, including IMSI, MSISDN, authentication keys, network usage data, and potentially SMS/contacts stored on the SIM. No customer PII (names, identification details) or financial information were exposed. The main risk is unauthorized SIM swapping.
### Detection & Response
- **How it was discovered:** SK Telecom detected the running malware on its network.
- **Response actions taken:** Enhanced the Fraud Detection System (FDS) and SIM Protection Service. Offered free SIM replacements to 25 million eligible customers. Published an FAQ. Disabled roaming services for subscribers with SIM Protection active as a temporary measure.
## Attack Methodology
- **Initial Access:** Malware running on the network.
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed regarding the malware's evasion techniques.
- **Credential Access:** Not detailed, but authentication keys related to the SIM were likely accessed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Not detailed.
- **Collection:** Gathering of USIM data (IMSI, MSISDN, authentication keys).
- **Exfiltration:** Data theft of USIM information.
- **Impact:** Potential for SIM swapping fraud.
## Impact Assessment
- **Financial:** Costs associated with replacing up to 6 million SIM cards by May 2025.
- **Data Breach:** USIM data (IMSI, MSISDN, authentication keys) for an undisclosed number of customers (implied to be a large subset of the 25 million offered replacement). *No names, ID details, or financial data were exposed.*
- **Operational:** Temporary disabling of roaming services for users under enhanced protection. Limited inventory delays full replacement capacity.
- **Reputational:** Public announcement and offer of free SIM replacements to manage customer concern.
## Indicators of Compromise
- **Network indicators:** Not specified (defanged).
- **File indicators:** The specific malware is not named.
- **Behavioral indicators:** Unauthorized access leading to USIM data exfiltration.
## Response Actions
- **Containment measures:** Investigation initiated; roaming services disabled for some protected users.
- **Eradication steps:** Ongoing investigation to determine exact causes and scope.
- **Recovery actions:** Offering free SIM replacements to 25 million subscribers (eligible as of April 18, 2025, midnight JST) to mitigate SIM swapping risk, with capacity limited to 6 million by May 2025.
## Lessons Learned
- **Key takeaways:** USIM management infrastructure requires robust protection, as compromise leads directly to high-risk activities like SIM swapping. The organization can scale proactive mitigation (like SIM replacement) based on existing inventory constraints.
- **What could have been done better:** Need for enhanced SIM protection that does not require disabling necessary features like roaming services. Faster inventory restocking for mass remediation.
## Recommendations
- Prioritize full inventory acquisition and deployment of free SIM replacements to all eligible customers to neutralize the SIM swapping threat vector.
- Review and upgrade SIM Protection services to maintain full functionality (including roaming) while active.
- Conduct a full forensic review to confirm the extent of the malware compromise and ensure all persistence mechanisms are removed.