South Korean telecommunications provider LG Uplus has disclosed a large-scale data breach affecting thousands of servers and internal user accounts, marking the third major cyber incident among the country’s top mobile operators this year. The breach, reported by The Korea Herald, underscores an escalating trend of credential-based intrusions targeting telecom infrastructure in South Korea.
Attackers Exploit Stolen Credentials to Access Core Network Systems
According to preliminary findings, the breach originated from the use of stolen employee credentials, which allowed attackers to infiltrate the operator’s internal network and move laterally across multiple systems. Once inside, they exfiltrated data from nearly 9,000 servers, compromising approximately 42,000 account credentials and the personal information of 167 employees.
The Korea Internet and Security Agency (KISA) had reportedly alerted LG Uplus to possible compromises three months earlier, following a whistleblower’s disclosure of suspicious activity on company servers. However, an internal probe conducted in August initially concluded there was no evidence of a breach — a finding that has since been invalidated following deeper forensic analysis.
“LG Uplus is fully cooperating with the ongoing investigation and will take necessary steps to strengthen data security and protect our customers,” the company stated.
Ongoing Investigation by KISA and Ministry of Science and ICT
Both KISA and the Ministry of Science and ICT are now conducting a comprehensive inquiry into the incident, focusing on how the intrusion went undetected for months and whether privileged access management failures contributed to the breach. Investigators are also assessing the extent of data exfiltration and determining if external threat actors remain active within compromised systems.
Preliminary indicators suggest that attackers leveraged remote access channels tied to administrative credentials, potentially bypassing existing endpoint security tools. The intrusion methodology aligns with MITRE ATT&CK techniques T1078 (Valid Accounts) and T1021 (Remote Services), commonly used in credential-based cyberattacks.
The exfiltration of data from thousands of servers implies a well-orchestrated campaign, possibly involving automated scripts or remote file transfer utilities to siphon sensitive data over extended periods.
Pattern of Cyberattacks Targeting South Korean Telecoms
The breach follows similar incidents this year at SK Telecom and KT Corporation, both of which reported separate data theft events involving SIM-related information and unauthorized mobile payment fraud. These consecutive attacks reveal a concerning pattern of systemic vulnerabilities across Korea’s telecommunications sector, particularly involving identity management, network segmentation, and credential control.
LG Uplus — which serves approximately 12.2 million mobile subscribers, compared with SK Telecom’s 23.1 million and KT’s 14.9 million — is now working with third-party cybersecurity firms to reinforce server hardening, log monitoring, and intrusion detection systems.
Experts warn that attackers may be targeting the telecom sector’s backend provisioning environments, which control SIM, billing, and user authentication systems — valuable assets for both espionage and financial fraud operations.
