The “Korean Leaks” campaign has emerged as one of the most sophisticated supply chain attacks targeting South Korea’s financial sector in recent memory.
This operation combined the capabilities of the Qilin Ransomware-as-a-Service (RaaS) group with potential involvement from North Korean state-affiliated actors known as Moonstone Sleet.
The attackers leveraged a compromised Managed Service Provider (MSP) as their initial access vector, enabling them to breach multiple organizations through a single point of entry.
In September 2025, South Korea suddenly became the second most-targeted country for ransomware attacks, with 25 victims claimed in a single month.
This unusual spike was attributed exclusively to the Qilin ransomware group, which focused almost entirely on financial services firms, specifically asset management companies.
Of the 33 total victims, 28 are currently public, with documented cases confirming the theft of over 1 million files and 2 TB of data.
.webp "Qilin RaaS Exposed 1 Million Files and 2 TB of Data Linked to Korean MSP Breach 3")
Bitdefender security researchers identified that Qilin operates like a gig economy, where main operators provide branding, software, and infrastructure while taking 15% to 20% of profits.
The actual hacking is executed by affiliates who earn the majority of the money. What makes this campaign particularly concerning is the early 2025 partnership between Qilin and Moonstone Sleet, a hacking group tied directly to North Korea, blurring the lines between cybercrime and state-sponsored espionage.
The attackers rolled out their campaign in three distinct publication waves. Wave 1 released 10 victims on September 14, 2025, framing the attacks as a public-service effort to expose systemic corruption.
Wave 2 escalated threats against the entire Korean stock market, while Wave 3 concluded with nine additional victims before returning to standard extortion messaging.
MSP Compromise as the Attack Vector
The root cause analysis revealed that the tight clustering of victims within a single financial niche pointed to a shared vulnerability connecting all targets.
%20(Source%20-%20Bitdefender).webp "Qilin RaaS Exposed 1 Million Files and 2 TB of Data Linked to Korean MSP Breach 4")
Press reporting on September 23, 2025, confirmed that more than 20 asset management firms suffered breaches after their servers were hacked through a common domestic IT service provider.
This MSP compromise granted attackers simultaneous access to multiple client networks, explaining the speed and precision of the attack waves.
Defense recommendations include implementing multi-factor authentication, network segmentation, and adopting EDR/XDR/MDR solutions to minimize adversary dwell time.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
