Ddos 
A sophisticated and unprecedented cyber campaign has struck the heart of South Korea’s financial infrastructure. In a sudden and violent surge, the notorious Qilin ransomware group—potentially aided by North Korean state-sponsored actors—launched a coordinated supply chain attack that compromised dozens of financial firms in a single month.
The operation, branded by the attackers as “Korean Leaks,” represents a dangerous evolution in the cyber threat landscape: the merging of profit-driven cybercrime with state-aligned espionage.
For years, the primary targets of major ransomware gangs have been organizations in the US, Canada, and Western Europe. However, September 2025 marked a drastic shift. According to Bitdefender’s analysis, South Korea suddenly spiked to become the second most-targeted country globally.
“For this period, South Korea (KR) suddenly became the second most-targeted country, with 25 victims claimed in a single month.”
This was not a random spray-and-pray operation. The victims were meticulously chosen: “With the exception of one construction firm, every victim was in the financial services sector.”
The campaign reveals a disturbing collaboration. The attack infrastructure was provided by Qilin, a major Ransomware-as-a-Service (RaaS) group known for its “double extortion” tactics. However, the execution suggests the involvement of Moonstone Sleet, a threat actor affiliated with the North Korean government.
“This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet) leveraging Managed Service Provider (MSP) compromise as the initial access vector.”
This partnership allows state actors to inflict damage and generate revenue while maintaining plausible deniability under the guise of a criminal enterprise.
Unlike typical ransomware attacks that focus quietly on negotiation, “Korean Leaks” was a loud, political spectacle. The attackers rolled out the leaks in three distinct waves, using aggressive rhetoric that targeted the nation’s stability rather than just individual companies.
“Instead, they used significant amounts of propaganda and political language and targeted the entire South Korean country and financial industry, a departure from typical cybercrime communication.”
The group went so far as to threaten the stability of the national stock market, claiming they possessed data that would “deal a serious blow to the entire Korean market.”
How did the attackers compromise so many highly regulated financial firms simultaneously? They didn’t hack them one by one. They hacked the company that manages them all.
Press reporting confirmed that a domestic IT service provider was the common link among the victims. By breaching this single upstream vendor, the attackers gained the keys to the kingdom.
“Exploiting a vendor, contractor, or MSP that has access to other businesses is a more prevalent and practical route that RaaS groups seeking clustered victims can take.“
Related Posts:
- Qilin Ransomware Attack Exploits MSP Vulnerability to Target Downstream Customers
- Qilin Ransomware: Beyond Encryption, a New Threat of Credential Theft
- Qilin RaaS Expands Global Impact: 40+ Victims/Month, Cyberduck Abuse, and WDigest Credential Theft
- From Espionage to Theft: The Multi-Faceted APT Attacks on SMBs
Donate