The “Korean Leaks” campaign has emerged as one of the most sophisticated supply chain attacks targeting South Korea’s financial sector. This cyberattack demonstrates the growing threat of ransomware attacks on MSPs and the increasing involvement of state-sponsored hacking groups in cybercrime.
The operation combined the capabilities of the Qilin Ransomware-as-a-Service (RaaS) group with potential involvement from North Korean state-affiliated actors known as Moonstone Sleet. Attackers exploited a compromised Managed Service Provider (MSP) as the initial access point, allowing them to breach multiple organizations through a single entry vector.
Surge in Ransomware Attacks in South Korea
In September 2025, South Korea became the second most-targeted country for ransomware attacks, with 25 victims reported in just one month. The Qilin ransomware group was responsible for nearly all attacks, specifically targeting financial services firms and asset management companies.
Of the 33 total victims, 28 are public, with confirmed theft of over 1 million files and 2 TB of sensitive data.
How Qilin RaaS Operates
According to Bitdefender security researchers, Qilin operates like a gig economy:
- Main operators provide branding, infrastructure, and ransomware software, taking 15–20% of profits.
- Affiliates perform the actual attacks, earning the majority of the revenue.
A significant concern is the Qilin-Moonstone Sleet partnership in early 2025, which merges cybercrime and state-sponsored espionage, raising the stakes for targeted industries.
Three Waves of the Korean Leaks Campaign
The campaign was executed in three distinct waves:
- Wave 1 (Sep 14, 2025): 10 victims targeted, framed as exposing corruption.
- Wave 2: Threats against the Korean stock market escalated.
- Wave 3: Nine additional victims targeted before reverting to standard extortion messaging.
MSP Compromise: The Attack Vector
The clustering of victims within the financial sector indicated a shared vulnerability. More than 20 asset management firms were breached via a common domestic IT service provider, demonstrating how MSP compromises accelerate ransomware propagation across multiple organizations.
Defense Recommendations
To mitigate similar attacks, organizations should implement:
- Multi-factor authentication (MFA)
- Network segmentation
- EDR/XDR/MDR solutions to reduce adversary dwell time
The Qilin RaaS case underscores the urgent need for cybersecurity measures against ransomware, particularly when MSPs are compromised, and highlights the evolving role of state-sponsored cyber threats in modern attacks.
