Qilin RaaS Breach at Korean MSP Exposes 1 Million Files and 2 TB of Data – Cyber Press
A major ransomware campaign named “Korean Leaks” has exposed the financial infrastructure of South Korea after a coordinated supply chain attack linked to the Qilin Ransomware-as-a-Service (RaaS) group.
The operation, which compromised a Managed Service Provider (MSP) supporting local asset management firms, resulted in the theft of at least 33 companies’ confidential financial data and more than two terabytes.
Bitdefender researchers reported that the Qilin group, believed to be of Russian origin, was solely responsible for South Korea’s sudden spike in ransomware incidents between September and October 2025.
Traditionally active in Western markets, Qilin shifted focus dramatically, claiming 25 South Korean victims in a single month. Nearly all affected entities operated within the financial services sector.
The attacks unfolded in three waves under the campaign banner “Korean Leaks,” during which Qilin’s dark web leak site published hundreds of photos of stolen corporate documents.
The posts used political and propagandist language, threatening not just individual companies but South Korea’s entire stock market.
Some messages accused financial firms of corruption and called on regulators to “investigate the fraud network.”
Evidence also pointed to possible collaboration with North Korea’s Moonstone Sleet, a state-linked hacking group that became a Qilin affiliate earlier in 2025.
Analysts believe this partnership blurred the lines between financially motivated cybercrime and state-sponsored espionage, allowing the attackers to achieve both economic disruption and financial gain.
Bitdefender’s analysis identified a local Korean IT service provider as the source of the compromise a third-party MSP that maintained remote access to dozens of clients in the asset management industry.
By breaching a single vendor, attackers gained simultaneous access to multiple financial firms, enabling a rapid, coordinated ransomware rollout.
This vendor-based intrusion model, though less publicized than supply chain code trojanization, is far more common and easier to exploit.
Bitdefender’s telemetry confirmed that over 1 million stolen files were shared or referenced in Qilin’s leak posts, totaling about 2 TB of data. Many listings were later removed, suggesting ransom payments or private negotiations.
The attackers’ emphasis on data leaks rather than encryption highlighted an intelligence-gathering component beyond simple extortion.
The Korean Leaks campaign underscores the growing convergence of criminal and state actors using RaaS platforms for large-scale, politically charged operations.
Bitdefender recommends layered defenses, including multi-factor authentication, least privilege access, network segmentation, and continuous endpoint monitoring, to prevent similar vendor-based compromises.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
Exclusive Cyber Security News platform that provide in-depth analysis about Cyber Attacks, Malware infection, Data breaches, Vulnerabilities, New researches & other Cyber stories.
Contact Us: cyber.press@outlook.com
© Copyright 2024 – Cyber Press
source
This is a newsfeed from leading technology publications. No additional editorial review has been performed before posting.
