![The Ministry of National Defense logo is pictured on June 10, 2024. [YONHAP]](https://koreajoongangdaily.joins.com/data/photo/2025/05/28/0ad6fa9a-94d7-44e7-b693-baefa1a20145.jpg)
The Ministry of National Defense logo is pictured on June 10, 2024. [YONHAP]
Following the recent hacking of SK Telecom’s (SKT) SIM server, the South Korean military has raised its cyber defense posture and is working to replace all SIM cards in nearly 5,700 encrypted security phones used by senior military leadership by June.
The military operates about 5,700 encrypted phones under high-security protocols, all of which use SKT lines, according to the Ministry of National Defense’s response submitted to Rep. Kang Dae-sik of the National Assembly’s National Defense Committee on Tuesday.
This marks the first upgrade in the military’s cyberspace protection condition (CPCON) since March 2022, reflecting heightened concerns regarding potential cyberattacks.
“There are approximately 5,700 highly secure communication terminals, or security phones, in the name of military agencies, all of which are SKT lines,” said the Ministry of National Defense in response to Kang’s inquiry. “We plan to cooperate with SKT to replace all the USIMs of secret phones by June.”
The ministry has already replaced the SIM cards in around 1,500 devices used by generals and commanders of operations and intelligence units and plans to replace the remaining 4,200 in phases through next month.
SKT has been promoting SIM replacement for all of its approximately 25 million subscribers since last month, but the pace is slow due to insufficient supply. The military authorities’ phones, for which security is a top priority, are also affected by this chaos.
![[JOONGANG ILBO]](https://koreajoongangdaily.joins.com/data/photo/2025/05/28/66955282-53d8-4c45-b17e-1f85bf03fcc6.jpg)
[JOONGANG ILBO]
While experts are talking about a “cyberattack at the level of a specific nation,” this also means that the military authorities have decided to take priority measures against the secret phones of military leaders where high-level military information can be exchanged.
The urgency stems from fears that compromised SIMs in security phones used by top brass, including the chairman of the Joint Chiefs of Staff, could lead to the exposure of critical military secrets.
Users prioritized for replacement include officers from the Army, Navy, Air Force, Combined Forces Command, Cyber Command, Defense Security Command, Drone Command and Defense Psychological Operation Group — effectively covering all major military commands.
Though the encrypted phones do not store information locally, some server systems connected to the phones’ security apps might be affected. The ministry stated that no classified data leaks have been confirmed so far.
“Secure phones do not use SIM information and go through a separate authentication process using security apps and encryption devices, so we have reviewed that the possibility of damage due to the SKT hacking incident is low,” said a Defense Ministry official.
![[JOONGANG ILBO]](https://koreajoongangdaily.joins.com/data/photo/2025/05/28/5e0ba520-f53f-4265-b8c5-671ea53a23a5.jpg)
[JOONGANG ILBO]
However, experts have warned that the BPFDoor malware used in the attack is highly sophisticated and capable of evolving into more complex variants. This means that there may be functions that have not yet been identified. Accordingly, military authorities plan to check whether the servers related to secret phones have been hacked.
The Defense Ministry also modified the CPCON level from Level IV to Level III in this month. CPCON is divided into five levels according to threat level, and after this incident, the response system was strengthened from increased risk, at Level IV, to specific attack risk at Level III.
A ministry official added that this measure had been taken in consideration of the fact that the hacking incident occurred ahead of the presidential election.
Out of the 2,370 general business mobile phones used by the military, 285, or 12 percent, are SKT devices and 2,085, or 88 percent, are KT lines. The Defense Ministry is also planning to promote SIM replacement for business use.
According to the government’s joint public-private investigation team, SKT first became aware of the leak of up to 9GB of information, including subscriber phone numbers and international mobile subscriber identity data, on April 18 from the home subscriber server where SIM information was stored.
![A notice about the SK Telecom SIM hacking incident is displayed at a phone store in Jung District, central Seoul, on May 12. [NEWS1]](https://koreajoongangdaily.joins.com/data/photo/2025/05/28/c56454eb-155c-42cc-a1c7-0212aebcb74c.jpg)
A notice about the SK Telecom SIM hacking incident is displayed at a phone store in Jung District, central Seoul, on May 12. [NEWS1]
Hackers first infiltrated SKT’s SIM server in June 2022 and were meticulous enough to hide the infiltration for a long period of time. It is possible that the purpose of this infiltration was to steal sensitive information such as military secrets.
In particular, the four types of malware used in the infiltration are known to be mainly used by Chinese hacker groups, and other forces such as North Korea may utilize variants since they have already been made open source. This is why experts suspect a nation-to-nation cyberattack.
“This is a grave issue that not only involves personal data breaches, but also poses a direct threat to national security,” said Kang. “Even if the encrypted phones have built-in safeguards, the sophistication of modern cyberattacks necessitates a full-scale security audit and swift completion of USIM replacement.”
Translated from the JoongAng Ilbo using generative AI and edited by Korea JoongAng Daily staff.
BY LEE KEUN-PYUNG, LEE YU-JUNG [[email protected]]