Qilin Ransomware Transforms South Korean MSP Breach into ‘Korean Leaks’ Data Heist Affecting 28 Victims

Recent developments in South Korea’s financial sector have revealed a complex and well-coordinated cyber assault, characterized as a sophisticated supply chain attack leading to the deployment of Qilin ransomware. This incident underscores a growing concern for organizations in the region as they contend with more advanced cyber threats.

Bitdefender reports that this operation synergized the capabilities of Qilin, a notable Ransomware-as-a-Service (RaaS) group, with potential backing from North Korean state-affiliated actors known as Moonstone Sleet. The initial access for this attack was achieved through the compromise of Managed Service Providers (MSPs), a tactic that aligns with the MITRE ATT&CK framework, particularly the “Initial Access” and “Credential Dumping” techniques commonly employed in supply chain attacks.

In October 2025, Qilin’s activity surged dramatically, claiming over 180 victims and accounting for 29% of global ransomware attacks, according to NCC Group. The exploitation of MSP vulnerabilities in South Korea led to a significant uptick in ransomware incidents, marking the country as the second-most affected after the United States. Analysis revealed that 25 of the 28 targeted organizations were from the financial sector, highlighting a clear focus on critical infrastructure.

The Korean Leaks campaign, as dubbed by the attackers, culminated in the theft of over 1 million files and 2 terabytes of data across three distinct waves. Bitdefender notes that these events were marked by an unusual approach that deviated from typical ransom demands, opting instead for a narrative framed around political activism and public awareness regarding corruption within the financial system. This strategic shift may resonate with the MITRE ATT&CK “Social Engineering” and “Impact” tactics, which aim not only to extort financially but also to manipulate public perception.

Each attack wave targeted specific victims within the financial management sector, starting with ten victims on September 14, followed by nine more between September 17 and 19, and concluding with another nine from September 28 to October 4. The orchestration of these attacks allowed Qilin affiliates to leverage their access to a compromised MSP, facilitating a broader impact on multiple organizations concurrently.

The propaganda-filled communications from the attackers included threats to expose high-profile figures involved in alleged market manipulations, heightening the stakes for potential victims. This approach indicates a calculated move to undermine both the organizations and the larger financial ecosystem, thus tapping into the MITRE technique of “Data Encrypted for Impact.”

On September 23, 2025, reports emerged that over 20 asset management companies were ensnared in the ransomware attack following the breach of GJTec, an MSP. This incident illustrates the critical vulnerabilities that arise when third-party vendors are compromised, reinforcing the necessity for organizations to implement stringent cybersecurity measures like Multi-Factor Authentication (MFA) and the Principle of Least Privilege (PoLP).

Bitdefender cautioned that the recent MSP compromise yielding the Korean Leaks serves as a stark reminder of the cybersecurity blind spots organizations face, emphasizing that exploiting a vendor’s weaknesses is often a more accessible path for RaaS groups. As the threat landscape continues to evolve, businesses must remain vigilant and proactive in fortifying their defenses against complex cyber operations.