SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Dark server room digital locks breaking data streams korean won currency graphic
#
Advanced Persistent Threat Protection
#
Breach Prevention
#
Risk & Compliance

Qilin ransomware targets 25 Korean finance firms in cyber surge

Tue, 25th Nov 2025
Author image
By Melania Watson, Interview Editor

South Korea's financial sector has experienced a significant increase in targeted cyberattacks, attributed to the Qilin ransomware group.

The campaign, dubbed 'Korean Leaks,' has resulted in dozens of financial service firms being compromised over a short period, raising concerns over both cybercrime and geopolitical motivations.

Attack strategy

The campaign exploited managed service providers (MSPs) as an entry point, enabling attackers to gain access to multiple firms within the financial sector simultaneously. This coordinated method resulted in 25 organisations being claimed as victims in a single month, most of which are asset management companies. Only one construction firm outside the financial sector was impacted.

Victims' data, including over 1 million files and 2TB of information, was exfiltrated and posted on Qilin's private leak site. This site operates on the dark web and is used as leverage in double-extortion strategies, where threatening to publish stolen data increases ransom demands on targeted firms.

Criminal actors

Qilin runs on a ransomware-as-a-service (RaaS) model, where core operators provide the platform, branding, and distribution infrastructure, while affiliates-external contractors-carry out the intrusions and attacks. The structure allows considerable anonymity and fluid alliances among affiliates, making attribution difficult.

The campaign's sophistication suggests involvement from state-affiliated groups, specifically the North Korea-linked Moonstone Sleet, which reportedly participated as Qilin affiliates during this attack surge. This collaboration mixes traditional cybercrime with geopolitical aims, blurring the distinction between financially-driven criminal activity and state-sponsored espionage or disruption.

Geopolitical dimension

A notable feature of the 'Korean Leaks' campaign is the use of political and systemic messaging in its ransom notes and data leak announcements. The communication not only targeted specific companies but also addressed wider audiences, threatening the reputation and stability of South Korea's entire financial sector. The attackers presented their actions as exposing corruption and called on enforcement agencies and journalists to investigate, leveraging both reputational and regulatory pressure on victims.

Early posts in the campaign referenced North Korean interests directly, but later messaging shifted focus exclusively to South Korean firms. This change may have reflected differing priorities among the criminal partners or an intention to increase pressure on domestic targets.

Campaign phases

Qilin's campaign unfolded in three distinct waves throughout September and early October 2025. Initial waves aggressively threatened systemic damage to South Korea's stock market and employed heightened political rhetoric. Later posts reverted to more conventional extortion tactics, focusing on individual companies' exposure.

An unusual pattern emerged in the subsequent removal of several victim posts from the leak site. These removals may indicate successful negotiations or internal policy shifts among the attackers.

Root cause

Analysis suggests the compromise of a single upstream IT service provider connected the cluster of victims. This scenario enabled rapid and broad deployment of ransomware across asset management companies, exposing a critical vulnerability in third-party risk management. Industry reporting in South Korea confirmed that the affected firms were linked by a shared domestic IT provider responsible for managing their systems.

Sectoral shift

Historically, ransomware campaigns in finance have concentrated on the United States, Canada, and European markets. The sudden spike in attacks on South Korean financial services represents a marked departure from this trend and highlights the globalisation and adaptability of RaaS operations.

Motive and consequences

Qilin portrays itself as a politically motivated actor or 'hacktivist' group in its public statements. Analysts note that while financial gain remains the primary objective, political messaging provides plausible deniability for affiliates with state ties and amplifies the impact of their campaigns on targeted sectors.

"The sheer speed and size of the attack waves over a limited time frame point to a shared liability that connected the victims," said Martin Zugec, Technical Solutions Director, Bitdefender.
Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Coupang breach & camera hacks expose Asia cyber gaps
Check Point unveils AI-focused upgrade to Quantum firewall
Artificial intelligence drives shift to real-time cyber risk by 2026
Contrast links ADR with Datadog SIEM to cut alert noise
CrowdStrike unveils Falcon AIDR to secure AI prompts

Top stories

LevelBlue adds unlimited Tenable scans to USM platform
Fortinet moves AI data centre security onto NVIDIA DPUs
Veeam completes USD $1.725b AI security takeover
AI ‘agentic’ tools to drive surge in cyber fraud by 2026
How to choose the right identity verification partner in Southeast Asia