[Sec Issue] 23 Million Mobile Subscribers’ Data Leaked: The Full Story Behind the 2025 SK Telecom SIM Breach and Future Preparations
2025 SK Telecom SIM Data Breach: A Warning and Response Strategy for Telecom Infrastructure Security
In April 2025, a significant breach at SK Telecom exposed critical security vulnerabilities within South Korea’s telecom infrastructure.
The breach resulted in the leakage of sensitive information belonging to approximately 23 million subscribers, threatening not only individual telecommunications security but also the overall safety of national critical infrastructure.
This document provides an in-depth analysis of the incident overview, causes, attack progression, technical infiltration methods, its association with OT (Operational Technology) security, and necessary future countermeasures.
1. Incident Overview
The breach occurred on April 19, 2025, around 11:00 PM.
SK Telecom’s core network servers were infected with malware, resulting in a massive leak of SIM data.
The leaked information included:
- IMSI (International Mobile Subscriber Identity): Unique identifier for mobile subscribers
- ICCID (Integrated Circuit Card Identifier): Unique identifier for SIM cards
- IMEI (International Mobile Equipment Identity): Unique identifier for mobile devices
- Authentication Key (Ki): Unique authentication value for network access
This information is highly sensitive, as it can reveal users’ service usage histories, location data, and even be linked to financial authentication services.
Thus, the breach represents a significant incident that could trigger widespread secondary damages beyond mere personal data leaks.
2. Causes and Progression of the Incident
2.1. Infiltration Path
Investigations revealed that attackers implanted malware within SK Telecom’s internal network, enabling access to key systems.
The breach particularly targeted the Home Subscriber Server (HSS) and the Unified Data Management (UDM) system, both core components of 5G network operations.
HSS and UDM manage subscriber authentication, location tracking, and access control; once compromised, the entire telecommunications network’s security is severely threatened.
Attackers are believed to have infiltrated the systems, escalated privileges (Elevation of Privilege), and conducted lateral movement within the internal network to concentrate their efforts on stealing sensitive SIM-related data.
2.2. Response Measures
Immediately upon discovering the malware, SK Telecom isolated the affected servers and launched a full-scale investigation across its entire network.
The incident was promptly reported to the Korea Internet & Security Agency (KISA) and the Personal Information Protection Commission, and collaborative efforts with relevant authorities were initiated to analyze the incident and prevent further leaks.
Forensic experts were deployed for in-depth analysis, and a comprehensive vulnerability assessment of the entire network architecture was conducted simultaneously.
3. Technical Analysis and Infiltration Techniques
3.1. Importance of SIM Information
SIM cards are not mere communication chips.
The IMSI and Ki are core elements for mobile network authentication. If leaked, attackers could conduct malicious activities such as:
- Producing cloned SIM cards and unauthorized network usage
- Tracking user movements and stealing location data
- Conducting financial fraud leveraging two-factor authentication (e.g., SMS-based authentication)
- Bypassing identity verification systems
Therefore, SIM information must be protected at the highest security level across the telecommunications, financial, and public sectors.
3.2. Infiltration Techniques
The attackers initially exploited vulnerabilities in internal servers to inject malware.
Subsequently, they escalated privileges to obtain root access to the HSS and UDM servers, thereby enabling direct access to internal databases and the mass extraction of SIM-related data.
The following advanced infiltration techniques were utilized:
- Fileless Malware: Operates solely in memory to minimize traces
- Encrypted Communication with C2 Servers: Evades detection
- Lateral Movement after Privilege Escalation: Facilitates deeper infiltration into internal systems
This attack is considered a highly sophisticated APT (Advanced Persistent Threat) operation rather than a simple hack.
4. Relevance to OT (Product Security)
Although the incident originated from telecom infrastructure vulnerabilities, it is closely linked to OT security issues.
- OT Convergence of Telecom Networks
Modern telecommunications infrastructure is deeply integrated with critical industries such as power, manufacturing, and transportation. Stability in telecom networks is crucial for the operational integrity of OT systems.
- Product Security
If physical products like SIM cards lack robust security designs, the entire system becomes vulnerable.
Key elements include authentication key management for SIM chips, encrypted storage methods, and ensuring the integrity of manufacturing processes.
- Supply Chain Security
SIM cards pass through multiple manufacturers and suppliers before reaching the telecom carriers.
If any point within the supply chain is compromised, the security of the final product is also endangered.
Thus, establishing comprehensive supply chain security governance is essential.
Ultimately, the incident highlights that without integrated security measures encompassing IT systems, OT product security, and supply chain management, similar breaches could recur in the future.
5. Countermeasures
5.1. Technical Measures
- Strengthening SIM Protection Services
Strengthen features that match SIM cards with authorized devices (IMEI matching) to prevent the use of SIMs in unauthorized devices.
This approach can fundamentally block SIM cloning and unauthorized usage.
- Deploying Abnormal Authentication Detection (FDS) Systems
Introduce real-time systems to detect abnormal authentication attempts, such as unexpected location changes, device changes, and suspicious access patterns.
Advanced AI-based pattern recognition technology should supplement traditional log analysis.
- Enhancing Encryption and Protection of SIM Data
Authentication information (Ki) stored in SIM cards must be protected with strong encryption methods, making decryption extremely difficult even if stolen.
5.2. Institutional Measures
- Strengthening Security Regulations and Regular Audits
Legalize telecom operators’ responsibility for security management, and introduce periodic security audits and certification systems by independent organizations.
- Establishing a Compensation Framework
Prepare structured procedures to swiftly compensate victims in the event of large-scale information breaches.
Mandatory enrollment in cybersecurity insurance for telecom carriers should also be considered.
- Strengthening Supply Chain Security Management
Expand security certifications and audit frameworks to encompass SIM manufacturers, suppliers, and logistics companies across the entire supply chain.
6. Conclusion
The 2025 SK Telecom SIM breach is not merely a telecom hacking incident.
It serves as a critical warning for the fundamental reexamination of South Korea’s telecom infrastructure security and broader national critical infrastructure resilience.
Although the incident has been contained, the risks remain.
In the digital era characterized by AI, IoT, and 5G proliferation, security strategies for telecom and OT-integrated systems must move beyond isolated barriers toward layered and integrated security approaches.
By combining both technical and institutional countermeasures, we can better prepare for even larger threats in the future.
This incident must be the starting point for building a stronger, more resilient security framework.
