A small KT mobile communication device installed at a Seoul subway station. (Yonhap)
SEOUL, Sept. 11 (Korea Bizwire) — South Korean authorities said Wednesday that a string of unauthorized micro-payments targeting KT subscribers appears to have stemmed from hackers using an illegal base station device known as a femtocell.
But investigators cautioned that critical details — including how the unregistered equipment accessed KT’s core network and whether personal data was compromised — remain unresolved.
The Ministry of Science and ICT said a preliminary probe indicated the attacks originated from a femtocell not registered in KT’s management system. KT stressed that its own authorized devices had not been hacked, describing the rogue unit as “unknown” and insisting existing equipment showed no irregularities.
Still, experts said the method remains puzzling. Even if a fake femtocell connects to the network, mobile payments typically require user authentication based on sensitive subscriber data.
Authorities are examining whether hackers obtained International Mobile Subscriber Identity (IMSI) numbers or encryption keys, though KT has dismissed suggestions of SIM card breaches.
Why Only KT?
The fact that only KT customers appear to have been targeted has deepened suspicion. Some security analysts suggested attackers may have acquired internal information on KT’s base stations or exploited a vulnerability with insider help.
Others said the scale of the fraud implied at least partial leakage of personal data, pointing to reports of victims being logged out of messaging apps such as KakaoTalk during the incidents.
Second Vice Minister of Science and ICT Ryu Je-myeong acknowledged the gaps. “We have asked KT for clear answers, but so far they have not been able to provide a mechanism or analysis that explains what happened,” he said.
The Personal Information Protection Commission has launched a separate inquiry into possible data leaks.
Possible Links to Past Attacks
Investigators are also weighing whether the scheme is connected to earlier breaches attributed to Kimsuky, a North Korean–linked hacking group accused of targeting KT and LG Uplus. Ryu said it was “too early” to draw conclusions but promised to examine any overlap.
For now, the case highlights both the sophistication of new attack vectors like rogue femtocells and the uncertainty facing regulators and telecom operators in tracing how a domestic network was manipulated to trigger fraudulent charges.
Kevin Lee (kevinlee@koreabizwire.com)
