South Korean ISP Inentionally Infected 600,000 Users with Malware

According to South Korean media reports, the local telecommunications company KT (formerly Korea Telecom) deliberately infected its customers with malware because users were too actively downloading content via P2P. File sharing remains very popular in South Korea, but it works differently than in most other countries. For example, services like Webhard (short for Web Hard Drive) are popular in the country. In South Korea, “network hard drives” refer to paid services that support BitTorrent and have special web seeds to ensure files are always available.

These services rely on a Grid System that supports BitTorrent, which has become so popular that it caught the attention of internet providers. Since such torrent connections consume bandwidth, ISPs prefer not to have this kind of traffic on their networks.

KT, one of South Korea’s largest internet providers with over 16 million subscribers, had previously interfered with the Grid system. In 2020, this led to a court case in which the company cited network management costs as the main reason for interfering with traffic. The court sided with KT, ruling in its favor.

However, the police investigation that began at that time is still ongoing. According to a recent report by Korean news outlet JTBC, KT actively installed malware on the computers of Webhard service users, and the number of infected “network hard drive” clients eventually exceeded 600,000 people.

Details of the Incident and Investigation

When KT users began reporting problems in 2020, they weren’t just complaining about slow downloads. The main issue was that Grid-based Webhard services were going offline or displaying strange errors.

Journalists report that KT’s position was that P2P “network hard drive” services were essentially malware themselves, so the company had no choice but to control this activity.

As noted above, such file sharing can create a significant load on networks (just like legal streaming), which is why South Korean telecom operators have been engaged in a fierce legal battle with Netflix for some time, trying to determine who should pay for network operation and construction costs. For the same reason, Comcast in the U.S. began quietly throttling torrent traffic years ago.

Because this incident attracted the attention of law enforcement, authorities conducted searches at KT’s headquarters and data center in search of evidence of violations of the Communications Secrets Protection Act (CSPA) and the Information and Communications Network Act (ICNA). The CSPA is aimed at protecting the privacy and confidentiality of communications, while the ICNA is designed to ensure the security of information and communication networks.

The investigation revealed that KT had an entire team dedicated to detecting and stopping file sharing: some employees were responsible for developing the malware, others for distributing it, and others for intercepting data. It is believed that KT employees installed malware to “eavesdrop” on their subscribers and interfere with their private file transfers.

In fact, KT is accused of accessing and modifying data on users’ computers to restrict torrent traffic. As a result, 13 KT employees and partners involved in this activity have already been identified and may now face trial.

Law enforcement believes KT took these measures for financial reasons. A manager from one of the Webhard companies told reporters that torrents allow significant savings on bandwidth, and in this case, P2P data transfer goes through KT’s network, which allegedly costs the provider millions of dollars annually.