Qilin RaaS Linked to Massive South Korean MSP Breach, Exposing Over One Million Files
A sophisticated cyberattack campaign, dubbed “Korean Leaks,” has significantly impacted South Korea’s financial sector. The operation, primarily attributed to the Qilin Ransomware-as-a-Service (RaaS) group, leveraged a compromised Managed Service Provider (MSP) to gain access to multiple financial institutions. This extensive breach resulted in the theft of over one million files and 2 terabytes of sensitive data, making South Korea the second most targeted country for ransomware in September 2025.
The Qilin RaaS group, known for its affiliate-based operational model, saw an unprecedented surge in activity targeting South Korea. The focus was almost exclusively on asset management companies, with 28 confirmed victims out of a total of 33 claimed attacks in September 2025. Bitdefender researchers have characterized Qilin’s operation as a “gig economy” approach, where core operators provide the ransomware infrastructure and branding, taking a percentage of profits, while independent affiliates conduct the actual attacks and secure the majority of the earnings.
MSP Compromise as the Attack Vector
Analysis by cybersecurity experts indicates that the concentrated nature of the attacks within the financial services niche strongly suggests a common point of compromise. Press reports from September 23, 2025, confirmed that over twenty asset management firms were affected after their systems were infiltrated through a shared domestic IT service provider. This MSP compromise provided the attackers with simultaneous access to numerous client networks, which explains the speed and synchronized execution of the attack waves.
The “Korean Leaks” campaign is particularly concerning due to early 2025 reports of a partnership between Qilin and Moonstone Sleet, a hacking group with suspected ties to North Korea. This collaboration blurs the lines between purely criminal cyber activity and state-sponsored cyber espionage, raising concerns about the motivations and objectives behind the assaults.
Phased Attack Strategy and Narrative
The attackers deployed their campaign in three distinct publication waves, a tactic designed to amplify pressure and control the narrative. The first wave, released on September 14, 2025, targeted 10 organizations and was framed by the attackers as a public service aimed at exposing systemic corruption within the financial sector. This initial framing appears to have been an attempt to garner sympathy or deflect blame from the illicit nature of their actions.
Following the initial release, Wave 2 escalated threats, targeting the entire Korean stock market, suggesting a broader ambition to disrupt financial operations or exact greater concessions. The third and final wave concluded with the exposure of nine additional victims, reverting to more standard extortion messaging after the previous attempts to manipulate public perception.
Defense and Future Implications
The implications of such a widespread supply chain attack are significant for the South Korean financial sector. The infiltration through an MSP highlights the critical need for robust third-party risk management and thorough vetting of service providers. Security researchers are recommending enhanced defensive measures, including the mandatory implementation of multi-factor authentication, stringent network segmentation to limit lateral movement, and the adoption of advanced detection and response solutions like EDR/XDR/MDR to minimize adversary dwell time within compromised networks.
The ongoing investigation into the full scope of the breach and the attribution of the actors involved will be crucial. The potential involvement of state-sponsored entities, as suggested by the Moonstone Sleet connection, could lead to diplomatic and geopolitical ramifications. As the situation develops, financial institutions globally will be closely watching the response from South Korean authorities and the evolution of this sophisticated cyber threat.