The malware in the SKT hack has links to a Chinese group. This may just be the beginning.
Published: 19 May. 2025, 17:41
Updated: 21 May. 2025, 14:22
![A SK Telecom store worker demonstrates replacing a SIM card at a branch in Seoul on May 12. [YONHAP]](https://koreajoongangdaily.joins.com/data/photo/2025/05/21/9014e805-c65a-482c-8b4e-d3c1b9e561d7.jpg)
A SK Telecom store worker demonstrates replacing a SIM card at a branch in Seoul on May 12. [YONHAP]
The joint government-private investigative team probing the SK Telecom (SKT) hacking incident announced on Monday that it has so far discovered 25 types of malware on SKT servers.
Of these, 24 were identified as BPFdoor (Berkeley Packet Filter Door) malware, which is commonly used by a hacking group suspected of receiving support from Chinese authorities.
"We confirmed infections on 23 SKT servers, completed forensic and in-depth analyses on 15 of them and are conducting a fifth round of inspections to analyze the remaining eight servers and detect or remove other malware,” the task force said at a press briefing held at the Government Complex Seoul in Jongno District, central Seoul.
“So far, we have identified and taken action on 25 types of malware, including 24 BPFdoor variants."
![SK Telecom users wait in line to switch their SIM cards in front of a store in Jongno District, central Seoul on April 29. [NEWS1]](https://koreajoongangdaily.joins.com/data/photo/2025/05/21/5700d445-c996-43c7-9ad9-ae5ba52e686b.jpg)
SK Telecom users wait in line to switch their SIM cards in front of a store in Jongno District, central Seoul on April 29. [NEWS1]
What is BPFdoor?
BPFdoor is a type of backdoor malware that hackers install to access a server from outside, bypassing normal authentication and network-monitoring systems to steal data. It is known for its high level of stealth, remaining dormant as an ordinary file within the system and activating only in response to specific signals from the hacker, making it extremely difficult to detect.
BPFdoor was first brought to public attention in 2022 through a report published by global consulting firm PwC, which stated that the Chinese hacker group Red Menshen used BPFdoor in cyberattacks targeting telecom companies in the Middle East and Asia.
U.S. cybersecurity firm Trend Micro also reported that Red Menshen, which has engaged in advanced persistent threat (APT) attacks — long-term hacking operations targeting specific entities — was behind BPFdoor. The firm added that APT groups had even developed variants of the BPFdoor backdoor to target telecom operators in Turkey and Hong Kong.
![SK Telecom users wait in line to switch their SIM cards at a booth in Incheon International Airport on May 8. [NEWS1]](https://koreajoongangdaily.joins.com/data/photo/2025/05/21/d5295f36-ef46-45a0-85be-9537625fafe2.jpg)
SK Telecom users wait in line to switch their SIM cards at a booth in Incheon International Airport on May 8. [NEWS1]
Why does it matter?
The Chinese hacking groups that use BPFdoor could increasingly set their sights on Korea, a key U.S. ally, as a primary cyberattack target. Trend Micro noted that Korean telecom companies were already attacked with BPFdoor malware twice, in July and December last year.
Taiwanese cybersecurity company TeamT5 also told the press that Chinese hacking groups have continuously targeted Korea and are likely to prioritize it in future attacks.
The White House National Security Council (NSC) warned that Chinese hackers, including the group known as Salt Typhoon, had infiltrated at least eight U.S. telecom companies and accessed records such as phone logs and messages of senior government officials and politicians. The NSC added that Chinese cyber activities extend beyond U.S. telecom firms to dozens of countries worldwide.
This suggests that attacks against Korea — especially its telecom companies — could intensify.
![SK Group Chairman Chey Tae-won bows in apology during a press briefing held at SK Telecom's headquarters in Jung District, central Seoul on May 7. [JOINT PRESS CORPS]](https://koreajoongangdaily.joins.com/data/photo/2025/05/21/7fd5ab5b-22e7-4e8c-adfd-cfe2623b48fe.jpg)
SK Group Chairman Chey Tae-won bows in apology during a press briefing held at SK Telecom's headquarters in Jung District, central Seoul on May 7. [JOINT PRESS CORPS]
What's to be done?
Industry experts believe that the Chinese hacking group's motive in targeting telecom companies is likely political rather than financial.
According to a report by global cybersecurity firm Cybereason, the primary goal of such attacks is to gather foundational information for long-term surveillance and to collect communications data — such as contacts and call frequency — of specific individuals, thereby analyzing their behavioral patterns and social networks.
Calls for a national security-level response are growing. On May 7, SK Group Chairman Chey Tae-won commented on the hacking incident, saying, "This is not just a security issue; it must be viewed as a matter of national defense."
"Although public attention has focused on consumer-level damage and compensation caused by this hacking, what’s more important is to use this incident as a catalyst to establish fundamental countermeasures against Chinese hackers and develop a national strategy to strengthen the competitiveness of the information security industry,” said a telecom industry insider.
Translated from the JoongAng Ilbo using generative AI and edited by Korea JoongAng Daily staff.
BY YUN JUNG-MIN [[email protected]]
with the Korea JoongAng Daily
To write comments, please log in to one of the accounts.
Standards Board Policy (0/250자)