Police raid KT over suspicions of false reports, concealed information after hacking
Published: 19 Nov. 2025, 17:17
![KT DS headquarters in Bangbae-dong, Seocho District, southern Seoul, on Nov. 19. [YONHAP]](https://koreajoongangdaily.joins.com/data/photo/2025/11/19/4daed7f4-3484-4371-bbed-7a821f2b5cdb.jpg)
KT DS headquarters in Bangbae-dong, Seocho District, southern Seoul, on Nov. 19. [YONHAP]
Police launched an on-site investigation into allegations that KT filed false reports and deliberately concealed information related to a server hacking incident on a request from the Ministry of Science and ICT on Oct. 2.
The Gyeonggi Nambu Provincial Police Agency sent about 20 investigators on Wednesday morning to execute search and seizure warrants at three locations, including KT’s Pangyo building in Seongnam, Gyeonggi, and KT DS headquarters in Seocho District, southern Seoul.
The Pangyo building houses KT’s information security office, while the KT DS office is where the remote consultation system server, suspected of being intentionally destroyed, had been located.
The Science Ministry asked police to investigate KT 48 days prior, saying the company failed to report the existence of backup logs for the discarded server to a joint public-private probe team, and that it was suspected of submitting fabricated documents and hiding evidence. Before beginning the raid, police reportedly booked Hwang Tae-sun, head of KT’s information security office, as a suspect.
KT is suspected of accelerating the scheduled disposal of a system server that may have been hacked, despite being notified by the Korea Internet & Security Agency (KISA) on July 19 that certificates used for its remote consultation system had been leaked in a hacking incident — a claim KT initially denied.
![A KT store is seen in Seoul on Nov. 6. [NEWS1]](https://koreajoongangdaily.joins.com/data/photo/2025/11/19/c72d897a-0890-48d3-b548-b7f6838a8779.jpg)
A KT store is seen in Seoul on Nov. 6. [NEWS1]
According to the Science Ministry, KT reported “no signs of intrusion” to the government on July 21, just two days after receiving the alert from KISA. It was later revealed during a National Assembly hearing in September that KT discovered suspicious activity on the remote consultation system server the day after reporting to KISA but failed to file a report at the time.
KT continued to deny the hacking allegations until Sept. 18, when it finally reported to KISA that it found four traces and two indications of intrusion. Meanwhile, the old server suspected of being compromised — originally scheduled for disposal after Aug. 21 — was destroyed 20 days earlier than planned.
The company’s reports about the server disposal were themselves false. Although the server had not yet been disposed of, KT reported to KISA that disposal had taken place and later destroyed a total of eight servers in three batches — two on Sept. 1, four on Sept. 6 and two on Sept. 13.
![A KT store is seen in Seoul on Nov. 6. [NEWS1]](https://koreajoongangdaily.joins.com/data/photo/2025/11/19/b541bedb-126b-43c1-9e3a-7191bd31f223.jpg)
A KT store is seen in Seoul on Nov. 6. [NEWS1]
Investigators also found that backup logs for the destroyed servers existed but were never submitted to the joint probe team before KT’s belated report on Sept. 18.
Earlier, on Aug. 8, U.S. cybersecurity outlet Phrack published a report, citing information from a white-hat hacker, alleging that Korean telecom companies and government agencies — including KT — had been attacked by a state-backed hacking organization. The report said that certificates used in KT’s remote consultation system were found on a server associated with Kimsuky, a North Korean hacking group.
KT also filed an internal network intrusion report with KISA on Sept. 8 after some KT customers suffered unauthorized small charges, saying that an unregistered illicit device had accessed its internal network based on an analysis of victims’ call records.
The Science Ministry formed a joint public-private investigation team on Sept. 9, citing financial losses caused by the security breach and the need for a detailed analysis of the attack method.
On Nov. 6, the team announced interim findings, saying KT “submitted false information on the server disposal date to authorities and failed to report key data to investigators,” adding that it believed KT acted “with the intention of obstructing a government investigation” and had therefore requested a police probe.
This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY SON SUNG-BAE [[email protected]]
with the Korea JoongAng Daily
To write comments, please log in to one of the accounts.
Standards Board Policy (0/250자)