SK Telecom warns that a malware attack on its systems compromised sensitive customer USIM data, which could be used for targeted surveillance, tracking, and SIM-swap attacks.
With a user base of more than 34 million subscribers corresponding to a 48.4% market share, SK Telecom is South Korea’s largest mobile network operator.
According to a Korean-language data breach notification posted on the company’s website, the telecom giant detected the cyber attack at 11 PM on Saturday, April 19, 2025.
The Jung District, Seoul-based telecom colossus, responded by isolating the hacked equipment and deleting the malware to prevent further compromise and lateral movement across the network.
It also notified the Korea Internet & Security Agency (KISA) and the country’s Personal Information Protection Commission and launched an investigation to determine the scope of the incident.
SK Telecom malware attack exposes sensitive USIM data
SK Telecom determined that the malware attack exposed Universal Subscriber Identity Module (USIM) data that typically contains the International Mobile Subscriber Identity (IMSI), Mobile Station ISDN Number (MSISDN), authentication keys, network usage information, and SMS and contacts stored on the user’s SIM card.
However, the USIM data breach did not expose payment details and government-issued IDs such as Social Security Numbers (SSNs) and payment details such as credit cards.
Nonetheless, the impacts of exposing USIM data are undeniable as it exposes victims to potential targeted surveillance and SIM swap attacks, which could further compromise more sensitive data such as credit card information and SSNs.
For now, the company has no evidence that the threat actor has misused the compromised customer USIM data for nefarious purposes.
“As of now, there have been no confirmed cases of the leaked information being misused,” the company stated.
Additionally, the company implemented additional security measures to prevent unauthorized SIM swaps or authentication attempts. Customers are also advised to sign up for the free USIM data protection service to prevent their mobile numbers from being swapped or ported to a different network.
Meanwhile, no cyber gang has claimed responsibility for the SK Telecom malware attack, and it remains unclear if the telecom giant was the victim of a ransomware incident. Similarly, the attack vector exploited and the payload deployed during the malware attack also remain unreported or undisclosed.
Telecom companies targeted by cyber attacks
However, the SK Telecom malware attack bears the hallmarks of a state-sponsored cyberespionage campaign by its northern adversaries, North Korea or China, with the latter having a history of carrying out similar attacks.
In December 2024, at least 9 telecom giants in the United States were targeted in an alleged Chinese cyberespionage campaign dubbed Salt Typhoon. The cyber blitz prompted United States’ CISA, the NSA, and the FBI, Australia’s ACSC, Canada’s CCCS, and the New Zealand’s NCSC-NZ to issue a joint cybersecurity advisory on hardening communication infrastructure against Chinese intrusion.
In June 2024, Chinese hackers Volt Typhoon had also targeted Singaporean telecom giant Singtel in the run-up to the massive cyberespionage campaign targeting U.S. telecom companies.
While such attacks target a large population, nation-state actors typically focus on people “primarily involved in government or political activity,” according to the FBI.
Meanwhile, SK Telecom’s 45-hour delay in notifying authorities about the malware attack has raised concerns about non-compliance, as South Korea’s Information and Communications Network Act requires service providers to report security breaches within 24 hours.
However, the company claims the delay was due to the need for thorough identification of details regarding the malware attack.
Nonetheless, Randolph Barr, CISO at Cequence, commends SK Telecom’s transparency in addressing the USIM data breach: “SK Telecom’s initial transparency is commendable,” he noted. “Acknowledging the breach, isolating affected systems, and offering protective measures like the free USIM Protection Service are the right first steps. Continued clarity will help peers in the industry better understand evolving threat actors.”
However, he warned that the malware attack extends beyond South Korean borders, putting global mobile network operators at risk.
“A breach in a local telecom system could introduce risks into multinational networks-either through direct exposure or supply chain vulnerabilities,” he added. “For CISOs managing global responsibilities, this incident underscores the importance of not only monitoring security within our own infrastructure, but also understanding the risk landscape of countries where we operate or rely on third-party services.”

