"KT found traces that malware had been removed with antivirus software on 43 of its own servers. Because this is a recent finding, further checks are needed to determine how much personal information may have been leaked from those servers."
Choi U-hyeok, Deputy Minister of the Ministry of Science and ICT's Network Policy Office, said this at a briefing on Nov. 6 at Government Complex Seoul announcing the interim findings of the investigation into the KT hacking incident.
On this day, the public-private joint investigation team operated by the Ministry of Science and ICT (hereinafter the investigation team) announced that from Aug. 1 last year to Sept. 10 this year, the personal information of 22,227 KT subscribers was leaked through 20 illegal femtocells, and 368 people suffered small payment damages totaling 243.19 million won. In particular, KT's lax management system for femtocells was revealed in detail.
The Deputy Minister said, "KT used the same certificate for all femtocells, making it easy for illegal femtocells to access KT's internal network," adding, "In addition, KT set the certificate validity period to 10 years, allowing illegally cloned devices to access the internal network for a long period."
It was also revealed that KT failed to report and handled on its own servers infected with malware such as BPFDoor. The Deputy Minister said, "From March to July last year, personal information was stored on 43 infected servers, but KT did not report this to the government." He then explained why the government did not catch it when it conducted an intrusion investigation into KT and LG Uplus in May. The Deputy Minister said, "At the time of the hacking intrusion investigation into KT, there were no traces of infection by malware such as BPFDoor, so the server infection was not detected," adding, "A recent detailed forensic analysis found traces that antivirus software had been used to remove the malware."
The Deputy Minister also noted that KT submitted a false report about when it disposed of the servers. The Deputy Minister said, "KT reported that it disposed of the servers on Aug. 1 last year, but in fact it was confirmed that the servers were disposed of multiple times from Aug. 1 to Aug. 13," and pointed out, "KT also did not submit backup logs for the disposed servers, and indications emerged that it impeded the government's investigation through a false report." The Deputy Minister added, "The investigation team determined that KT violated Article 137 of the Criminal Act (Obstruction of the performance of official duties by fraudulent means) and referred the case to law enforcement for investigation."
The Deputy Minister drew a line on whether KT's USIM authentication keys were leaked, saying nothing has been confirmed. The Deputy Minister said, "Based on the investigation of KT so far, no indications of a USIM authentication key leak have been found," adding, "However, we are closely investigating the possibility of USIM hacking." The Deputy Minister added, "Measures related to USIM replacement at KT are left to each company's judgment, and the government has neither directed nor recommended them."
Meanwhile, on this day the Ministry of Science and ICT did not present a clear position on waiving termination fees in connection with the KT hacking incident. The Deputy Minister said, "After proceeding somewhat further with the investigation and confirming the details, we should obtain legal advice at an appropriate time, like SK Telecom, and then we will likely be able to provide a final position."