Unmasking the cyber plot behind the hack that targeted SKT

Home > Business > Industry

Unmasking the cyber plot behind the hack that targeted SKT

Published: 12 Jun. 2025, 19:30 Updated: 09 Jul. 2025, 12:36

SARAH CHEA
[email protected]

Audio report: written by reporters, read by AI

[GETTY IMAGES]

[NEWS ANALYSIS]

Korea is increasingly becoming a target of a new type of sophisticated cyberespionage that aims to take advantage of the nation’s high internet dependence, weak security and entanglement with China's industrial supply chains.

The emerging tactic, often called “quiet hacking,” differs from traditional ransomware-style attacks that aim for immediate disruption or large-scale data theft. They are believed to have long-term strategic objectives, which may range from information warfare and industrial espionage to broader cyberwarfare campaigns.

The threat materialized in the recent massive hacking of SK Telecom, wherein a hacking group, allegedly backed by China, covertly infiltrated its server for three years silently to ultimately expose the data of 26 million subscribers.

Silent, stealthy hacking

Beyond the SK Telecom breach, attempts at this form of hacking have been widespread across Korean systems, orchestrated by advanced persistent threat groups, skilled actors operated by nation states or state-sponsored groups believed to be linked with China, according to a study jointly conducted by the National Intelligence Service’s National Cyber Security Center and AhnLab.

The report said a group called TA-ShadowCricket has quietly been maintaining control of 2,000 compromised systems worldwide for more than a decade, which includes 457 located in Korea. Korea ranked second among all affected countries after China, with 895. It was followed by India’s 98, Vietnam’s 94, Taiwan’s 44, Germany’s 38, Indonesia’s 37, Thailand’s 31 and the United States’ 25.

“The compromised IP addresses were found to be integrated into a botnet, granting the attackers remote access and the ability to issue arbitrary commands to infected systems,” Lee Myeong-su, team leader of A-FIRST at AhnLab, who worked on the analytic report, told the Korea JoongAng Daily, adding that most of the affected computers were from private companies.

The report also said the system was "accessed and controlled via Remote Desktop Protocol, with a portion of these connections traced back to IP addresses located in China," suggesting that the "attacker has been leveraging infrastructure within China as a primary foothold for building and operating their hacking network."

“Though no kinds of data exfiltration, ransomware deployment, or destructive actions were found, their operational behavior suggests a strategic intention to quietly amass control over as many systems as possible to establish a stable botnet infrastructure and reserve them for future large-scale operations, such as distributed denial-of-service attacks,” Lee added.

Their method typically involves scanning for exposed ports on publicly accessible Windows servers, particularly those using Microsoft's Remote Desktop Protocol and SQL Server, according to the report. They then execute brute-force attacks, systematically guessing passwords to gain unauthorized access.

SK Group Chairman Chey Tae-won bows in apology during a press conference at SKT Tower in Jung District, central Seoul, on May 7. [JOINT PRESS CORPS]

Following a successful breach, the attackers deploy malware that allows remote control of the compromised system and conceals itself within legitimate executable files. The malware connects to a command-and-control server, enabling it to autonomously execute instructions without requiring the attacker to reconnect directly.

Perhaps most concerning is that backdoors originally installed with good intent by governments or enterprises for counterterrorism, investigations or system maintenance can become powerful tools for covert access in this fashion and allow attackers to remotely control infected systems, exfiltrate sensitive data or deploy additional hacking tools without the user’s knowledge.

When hyperconnectivity becomes a risk

Experts warn that Korea’s highly advanced internet infrastructure has, paradoxically, created a structure that is deeply vulnerable to cyber threats.

“A nation's level of internet dependence is one of the most critical factors in evaluating its cyberdefense capabilities, and Korea’s dependence is exceptionally high, and the reliance increases the country’s vulnerability,” said Kim Seung-joo, a cybersecurity professor at Korea University.

“From automobiles to smart TVs and robot vacuum cleaners, the growing ecosystem of connected devices expands the range of potential attack vectors as the nation’s digital infrastructure is deeply embedded across all aspects of daily life, making it inherently susceptible to cyber threats.”

A similar case recently unfolded in Korea with the recent breach of SK Telecom’s server, which exposed the SIM data of 26 million subscribers dating back three years. A recent investigation revealed that a backdoor had remained dormant since 2022.

Customers wait to get their SIM cards replaced at an SK Telecom store inside Gimpo International Airport on May 9. [NEWS1]

Solar sector under threat

Cybersecurity threats are now extending beyond telecommunications to critical infrastructure such as solar power systems. The U.S. Energy Department recently detected unexplained communication components inside China-made solar inverters that were not listed in the product documentation. The rogue components “provide additional, undocumented communication channels that could allow firewalls to be circumvented remotely, with potentially catastrophic consequences,” according to a Reuters report.

Solar inverters, often referred to as the “brains” of solar power systems, are critical in solar equipment that converts direct current electricity generated by solar panels into alternating current electricity for use in homes, factories and grids. Up to 95 percent of inverters available in Korea are made in China, then shipped to Korea and sold by domestic companies.

The Ministry of Trade, Industry and Energy met with major domestic solar firms in early May, including Hanwha Q Cells, HD Hyundai Energy Solutions and Hyosung Heavy Industries, to review the current status of solar inverter deployment in the country and possible expected threats.

“The next steps will be determined following consultations with multiple inverter experts and industry specialists,” an official from the Industry Ministry told the Korea JoongAng Daily.

BY SARAH CHEA [[email protected]]