Valid credentials proved sufficient for attackers to reach 27 million subscriber records at SK Telecom. No zero-day exploit or encryption failure was required; the intruders simply used legitimate remote or administrative access to install BPFDoor, a kernel-level rootkit that gave them persistent control over core systems.

The intrusion followed a straightforward path. Once inside, the rootkit was placed at the kernel layer, allowing it to survive reboots and routine monitoring. From that position, lateral movement reached the subscriber database without further real-time interaction from the attackers.

Why Credential Reuse Succeeded

The breach succeeded because authentication still depended on material that can be captured once and replayed indefinitely. Passwords paired with SMS codes, TOTP, or push notifications protect only the login moment. After an attacker obtains either the primary credential or the ability to satisfy the second factor, the session is granted with no further cryptographic barrier.

Public-key standards such as FIDO2 improve the login step yet leave enrollment, recovery, and administrative provisioning processes exposed to phishable material. In this incident, a single valid authentication was enough to establish long-term access because nothing in the system prevented the credential from being reused on different systems or at later times.

Device-Bound Public-Key Authentication Prevents Reuse

MFA 2.0 is phish-proof, passwordless authentication built on public-key cryptography (the same technology used in Apple Pay and Google Pay). It uses device-bound credentials with no central credential database and requires same-device authentication—no second device is needed. Because the private key never leaves the hardware or secure element, no central store exists that an attacker can harvest and replay.

Applied to the SK Telecom environment, this model would have removed the initial foothold. Even if network traffic, session tokens, or help-desk assistance were obtained, an attacker could not generate a valid cryptographic response without the enrolled device. Registration and device binding occur through public-key operations that never transmit a secret, closing the enrollment and recovery gaps that traditional methods leave open.

The same approach scales to servers and administrative workstations. Each enrolled endpoint holds its own private key; nothing travels that can be intercepted and reused. This shifts the security model from detection after compromise to prevention at the point of authentication.

Remaining Limitations of Hardware Tokens and FIDO2 Keys

Hardware tokens or FIDO2 keys would have helped only if every privileged account used them consistently and if the provisioning process itself avoided phishable steps during onboarding or recovery. Device-bound public-key authentication removes that dependency across the entire identity lifecycle.