Following the South Korean government’s announcement that a large-scale hacking attack on SK telecom Co. had been ongoing for three years, concerns are rising that these cyberattacks go beyond mere data theft for profit and could signal a form of cyber warfare orchestrated by specific nations or groups.

Evidence has surfaced that malicious code from the BPFDoor family - used by hackers to breach SK telecom servers - was also developed in attempted attacks on other domestic telecom companies, heightening concerns over the security of national infrastructure.

According to multiple sources from the information and communication technology industry on Tuesday, U.S.-based cybersecurity firm Trend Micro reported in a publication in April 2025 that a Korean telecom provider was attacked with BPFDoor malware in July and December 2024.

Trend Micro noted that during this period, companies in the telecommunications, finance, and service sectors in territories including Myanmar, Malaysia, Egypt, and Hong Kong were also targeted by BPFDoor attacks.

The company identified Red Menshen, an advanced persistent threat hacking group linked to China, as being behind these attacks. Experts believe that Red Menshen’s consistent weekday activity patterns make it highly likely that the group operates as a state-sponsored organization.

Trend Micro noted that BPFDoor is a nation-backed backdoor designed for cyber espionage and that its controller allows lateral movement within the infiltrated network, enabling control over more systems or access to sensitive data while using stealthy evasion techniques.

BPFDoor is commonly used by APT groups targeting government, telecom, and financial institutions - critical elements of national infrastructure. One particular concern is the possibility that BPFDoor malware could have already spread beyond SK telecom to other domestic telecom companies.

In connection with this, cybersecurity experts emphasize the need to recall a similar hacking incident involving a Korean telecom provider.

The Washington Post reported in February 2024 that Chinese security company i-Soon, contracted by China’s Ministry of Public Security, stole 3 terabytes of call records from a Korean telecom company over eight years. i-Soon, which had contracts with Chinese state agencies, carried out extensive hacking operations targeting governments and corporations across various countries, and Korean telecom providers were among the targets, it said.

The Korean government’s investigative team has stated it is unable to confirm the targets of the BPFDoor attacks within the country. Although there is speculation in the market pointing to China or even North Korea, the prevailing view is that the attack was likely not aimed at simple data theft for monetary gain.

Given that BPFDoor malware is available as open-source software, experts noted that it is difficult to determine the precise identity of the attacker, leading to calls for coordinated international responses at the government level.

“Chinese hacker groups like Salt Typhoon do not hack for the money,” Lim Jong-in, a professor of cyber security at Korea University, said. “Their goal is to infiltrate national infrastructure such as telecommunications and finance.”

Lim urged the government to cooperate with international telecom companies that have been previously attacked by Chinese hackers to assess the damage and track the perpetrators.

Salt Typhoon is a Chinese hacker group known for targeting major U.S. telecom companies including Verizon, AT&T, and T-Mobile in 2024.

“BPFDoor is a generalized hacking method and could potentially have been used not just by China but by North Korea as well,” Qubit Security Inc. Chief Executive Officer Shin Seung-min said. “Other hacker groups from countries such as Russia should also be considered.”

[ⓒ 매일경제 & mk.co.kr, 무단 전재, 재배포 및 AI학습 이용 금지]