Regarding the KT hacking allegations raised by the U.S. security outlet Phrack, it has been confirmed that log records from a server the company was said to have already discarded were backed up separately. Attention is on whether the backed-up server logs will offer new clues to identify hacking methods used against domestic telecom operators.
According to materials Rep. Park Chung-gwon of the People Power Party, a member of the Science. ICT. Broadcasting. and Communications Committee, received from KT on the 22nd, KT confirmed on the 15th that logs from a server already discarded in connection with the hacking allegations raised by Phrack had been backed up, and shared them with the joint investigation team on the 18th. Phrack reported on the 8th of last month allegations that the certificate and private key of KT's "rc.kt.co.kr" website had been leaked.
KT conducted a full inspection of its servers through an external security firm from May 22 to the 5th of this month. During this process, it is reported to have belatedly identified that the relevant server logs were backed up.
Earlier, the Korea Internet & Security Agency (KISA) conveyed allegations that a hacking group presumed to be backed by China had hacked government agencies and KT and LG Uplus. The Ministry of Science and ICT asked KT to submit materials in connection with the hacking allegations raised by Phrack.
However, KT has faced allegations that it rushed to discard the related servers earlier than initially planned. On the 13th of last month, while sending the Ministry of Science and ICT its investigation finding that there were no signs of intrusion, KT said it would end service for legacy servers at the Gunpo, Guro, and Gwanghwamun (for sign language use) customer centers faster than originally scheduled. In a recent report to the National Assembly, KT explained that while it did not find indications of information leakage in the July investigation, at the request of its internal Information Security Office, it shortened the period of parallel operation between existing on-premises servers and new subscription-type servers during August and shut down the existing on-premises servers on Aug. 1.
Except for Gwanghwamun, which is for sign language use, the Gunpo and Guro servers are geographically close to Seoul's Geumcheon District and Gwangmyeong, Gyeonggi Province, where KT's unauthorized small-sum billing incident occurred. The industry sees the hacking allegations raised by Phrack and the losses from KT's unauthorized small-sum billing as potentially not unrelated.
Rep. Park Chung-gwon said, "When KISA notified KT of indications of hacking, above all, preserving the servers at issue to prepare for an investigation should have been the top priority, and discarding them was a grave management failure," adding, "We must get to the bottom of the hacking allegations."