South Korea’s financial sector has had a rough few months, and the reason isn’t a single breach or careless employee. It’s something much more coordinated, a supply-chain attack that slipped through a managed service provider and ended up delivering Qilin ransomware to more than two dozen financial organizations.
Bitdefender’s team started digging into the incident only after noticing something that didn’t line up with usual patterns. South Korea rarely appears anywhere near the top of ransomware victim charts; most months see one or two cases at most. Then September 2025 arrived, and the number jumped to twenty-five. That alone is enough to raise eyebrows, but the fact that all of them were tied to Qilin made the situation even more unusual.
Qilin isn’t new, but it has been expanding aggressively. By October, the group was claiming over 180 victims and accounting for nearly a third of all ransomware attacks globally. They operate under a RaaS model and tend to describe themselves in oddly patriotic terms, something a bit out of step with typical Russian-origin criminal groups.
What made this case even stranger was the possible involvement of Moonstone Sleet, a North Korean state-backed group. Microsoft has watched that group before, including a 2024 incident where they used their own ransomware variant, FakePenny, against a defense tech company. This year, their activity seems to have shifted, at least partly, toward deploying Qilin. Whether they directly carried out the Korean Leaks campaign is still uncertain, but the victim profile fits them almost too well.
The data theft itself happened in three batches. The attackers published the victims in waves, ten in mid-September, nine more a few days later, and another nine by early October. The stolen data reportedly exceeded two terabytes. A few victim posts vanished from the leak site shortly after appearing, which usually means a negotiation took place or the attackers backed off for reasons that probably won’t ever be public.
The tone of the leaks was another curveball. Most ransomware groups try to create panic by threatening disclosure of payroll files, personal data, or internal emails. Qilin went in a different direction at first. They framed the operation as some kind of crusade to expose corruption, warning of stock manipulation, political misconduct, and market instability. It sounded more like a political manifesto than an extortion note.
Later waves shifted back toward standard ransom language, which suggests Qilin’s core operators may have stepped in to control the messaging. Bitdefender pointed out that the group claims to have an internal “journalist team” that helps affiliates craft their public statements, something that would be almost funny if the consequences weren’t so severe.
The MSP angle may be the most important part of this entire incident. A single upstream provider was breached, and from there the attackers gained access to dozens of downstream clients. Korean media linked the intrusion to GJTec, which serves numerous asset management companies. Once the attackers had MSP-level access, the dominoes fell quickly.
Bitdefender’s conclusion is straightforward: supply-chain compromise remains one of the biggest blind spots in cybersecurity. It’s easier than ever for attackers to hit clusters of victims simply by targeting shared service providers. Controls like MFA, privilege reduction, segmentation, and attack-surface minimization are widely known but not always applied consistently across MSP environments.
The broader lesson is sometimes the weakest point in your security isn’t inside your company, it’s sitting inside a vendor you trust.
Source: The Hacker News