The "Korean Leaks" Data Heist: How North Korea's Moonstone Sleet and Qilin Ransomware Weaponized an MSP to Target South Korea's Financial Sector

Bottom Line Up Front: In September 2025, a sophisticated hybrid cyber operation named "Korean Leaks" devastated South Korea's financial sector through a single managed service provider (MSP) breach, compromising 28 asset management firms and exfiltrating over 1 million files totaling 2TB of data. The campaign represents a dangerous convergence of North Korean state-sponsored cyber operations and Russian-based ransomware-as-a-service infrastructure, marking a watershed moment in the evolution of geopolitical cyber warfare.

The Statistical Anomaly That Exposed a Geopolitical Operation

When Bitdefender researchers prepared their October 2025 Threat Debrief, they noticed something extraordinary: South Korea had suddenly become the world's second-most targeted country for ransomware attacks, experiencing 25 victims in September 2025 alone—a dramatic surge from an average of just 2 victims per month between September 2024 and August 2025.

This 1,150% increase demanded immediate investigation. The findings revealed not just a cybercrime spree, but what security researchers now describe as a sophisticated supply chain attack combining the capabilities of a major Ransomware-as-a-Service operation with the strategic objectives of a North Korean state-affiliated threat actor.

The Architecture of Attack: MSP Compromise as Force Multiplier

The Korean Leaks campaign exploited a critical vulnerability in South Korea's digital infrastructure: the extensive reliance on managed service providers by small and medium-sized financial firms. Through confirmed media reporting on September 23, 2025, investigators identified GJTec (also referred to as Jijetec) as the compromised IT service provider that served as the common link connecting all affected asset management companies.

This single point of failure enabled attackers to:

• Gain simultaneous access to 28+ organizations through a single breach
• Deploy ransomware across multiple victims with unprecedented speed
• Maintain consistent operational security across all compromised environments
• Exfiltrate massive data volumes while remaining undetected

The tight clustering of victims—24 in the financial sector, with only one construction firm—and the three distinct publication waves between September 14 and October 4, 2025, demonstrated sophisticated operational planning inconsistent with opportunistic cybercrime.

The Qilin-Moonstone Sleet Alliance: When Nation-States Join Ransomware Gangs

At the heart of the Korean Leaks campaign lies an unprecedented partnership that validates cybersecurity researchers' predictions about the blurring of state-sponsored and criminal cyber operations.

Qilin: The Ascendant Ransomware Empire

Qilin (also known as Agenda) emerged as 2025's most prolific ransomware operation, responsible for 29% of all ransomware attacks globally by October. The group's sophisticated Rust-based ransomware provides exceptional cross-platform capabilities targeting Windows, Linux, and ESXi environments, while their double-extortion model and "in-house journalists" create maximum pressure on victims.

Operating under a traditional Ransomware-as-a-Service model, Qilin recruits affiliates through Russian-language cybercrime forums, taking only 20% of ransom payments while providing the technical infrastructure, leak site management, and negotiation support. This efficiency has generated over $50 million in ransom payments during 2024 alone, with high-profile victims including Habib Bank AG Zurich (2.5TB stolen) and numerous healthcare organizations.

What makes Qilin particularly dangerous is their self-identification as "political activists" and "patriots of the country" despite likely Russian origins. This ideological positioning provides perfect cover for state-sponsored affiliates seeking plausible deniability.

Moonstone Sleet: North Korea's Revenue Generation Unit

Microsoft first identified Moonstone Sleet (previously tracked as Storm-1789) as a North Korean state-sponsored threat actor engaged in both financial gain and espionage operations. The group's traditional tactics included:

• Creating fake companies to infiltrate cryptocurrency developers
• Distributing trojanized software and malicious games
• Deploying custom ransomware like FakePenny (which demanded $6.6 million in one documented attack)
• Using sophisticated social engineering via LinkedIn, Telegram, and email

In February 2025, Microsoft observed a critical shift: Moonstone Sleet began deploying Qilin ransomware in limited attacks, marking the first time the group used a commercial RaaS platform instead of custom malware. This evolution represents a strategic calculation by North Korean cyber operators to maximize revenue generation while maintaining operational security through third-party infrastructure.

The partnership makes strategic sense for both parties:

• Moonstone Sleet gains: Access to proven ransomware technology, established leak sites, and operational expertise
• Qilin benefits: A sophisticated affiliate with advanced persistent threat capabilities and state-level resources

As detailed in our analysis of the global cybercrime empire, North Korea joined the Qilin ransomware gang as part of a broader strategy to expand into ransomware operations and maintain IT workers abroad to earn additional funds.

The Three Waves: Propaganda, Extortion, and Strategic Retreat

The Korean Leaks campaign unfolded across three distinct publication waves, each revealing different operational priorities:

Wave 1 (September 14, 2025): Ideological Warfare

Ten financial management firms appeared on Qilin's dedicated leak site with unprecedented messaging. Rather than standard extortion language, the attackers framed their campaign as a public service effort to expose systemic corruption, threatening to release:

• Evidence of stock market manipulation
• Names of well-known Korean politicians and businessmen
• Files that could pose "severe risk to the Korean financial market"

This propaganda-heavy approach, emphasizing threats to South Korea's financial stability and citing data protection law violations, aligned perfectly with North Korean strategic objectives of destabilizing South Korea's economy while generating revenue.

Wave 2 (September 17-19, 2025): Escalating Pressure

Nine additional victims were posted with increasingly aggressive messaging, warning that data releases could trigger a national financial crisis. The attackers called on South Korean authorities to investigate the case, leveraging the country's strict data protection laws as additional pressure.

Wave 3 (September 28 - October 4, 2025): Return to Standard Extortion

The messaging shifted dramatically in the third wave, abandoning geopolitical rhetoric for traditional financially-motivated extortion. Bitdefender researchers assessed that Qilin's core operators—who maintain an "in-house team of journalists"—took control of the messaging, evidenced by signature grammatical inconsistencies appearing in the posts.

Notably, four victim posts were subsequently removed from the leak site—a highly unusual pattern suggesting successful ransom negotiations or unique internal policy decisions.

The Data Compromise: Scale and Sensitivity

While the Korean Leaks attackers provided nearly 300 photos of exfiltrated documents as proof of compromise, the full scope remains poorly documented. However, confirmed cases reveal:

• Total files stolen: 1+ million files
• Data volume: 2+ terabytes
• Confirmed victims: 28 publicly disclosed (33 total, with 4 removed)
• Compromised information types:
  • Tax-related documents
  • Employee personal information
  • Investor personal data
  • Strategic planning documents
  • Financial information and deal details
  • Trade secrets

South Korea's Personal Information Protection Commission (PIPC) launched an investigation after receiving multiple breach reports from asset management companies, all confirming they used GJTec's file server services. Financial authorities noted they had been monitoring the situation in advance but reported no immediate credit information leaks leading to monetary damage.

The Broader Context: 2025's Cyber Siege on South Korea

The Korean Leaks campaign emerged during what cybersecurity experts describe as an unprecedented assault on South Korea's digital infrastructure. Every month of 2025 brought major cyberattacks affecting millions across telecommunications, finance, and retail sectors:

January: GS Retail's 90,000 customer records compromised

February: Wemix blockchain unit suffered $6.2 million breach

April-May: SK Telecom's massive breach affected 23 million customers (nearly half of South Korea's population), requiring replacement SIM cards

June: Yes24 ransomware attack disrupted ticketing and e-commerce for four days

July:

• Seoul Guarantee Insurance ransomware attack crippled core systems
• North Korean Kimsuky group deployed AI-generated deepfakes in attacks

August:

• Yes24 suffered second ransomware attack
• Lotte Card breach exposed 200GB of data affecting ~3 million customers (undetected for 17 days)
• Welcome Financial Group hit by ransomware with over 1TB of data stolen

September:

• Korean Leaks campaign (28 victims)
• KT telecommunications breach via fake base stations affecting 5,500 customers
• Continued Kimsuky campaigns against embassies using AI-powered social engineering

Statistics released mid-year showed 1,887 cyber breaches in South Korea during the first half of 2025 alone—a dramatic increase attributed primarily to North Korean APTs including Lazarus Group, which maintained aggressive phishing, ransomware deployment, and cryptocurrency theft operations.

North Korea's Evolving Cyber Empire: From WannaCry to RaaS Partnerships

The Korean Leaks campaign represents the latest evolution in North Korea's sophisticated cybercrime operations, which have generated billions in revenue to fund the regime's nuclear weapons program.

The Historical Arc

2014-2016: Lazarus Group emerged with the Sony Pictures hack and devastating WannaCry 2.0 ransomware affecting 150+ countries and 300,000 computers

2017-Present: Shift toward cryptocurrency-focused operations following 2016 UN sanctions, with economic objectives surpassing political ones

February 2025: Achieved largest cryptocurrency theft in history—$1.5 billion in Ethereum stolen from Dubai-based Bybit exchange

2025: Integration into commercial RaaS platforms, including:

• Moonstone Sleet joining Qilin as affiliate
• Andariel/Jumpy Pisces collaborating with Play ransomware
• Expansion into initial access brokering
• Development of EtherHiding technique for embedding malware in blockchain smart contracts

The Strategic Calculation

North Korea's pivot to RaaS partnerships reflects sophisticated operational thinking:

1. Plausible Deniability: State actors can claim criminal affiliates acted independently
2. Revenue Maximization: Proven ransomware platforms generate higher returns than custom malware
3. Operational Security: Third-party infrastructure complicates attribution
4. Resource Efficiency: Leveraging existing criminal ecosystems reduces development costs

Cybersecurity firm Bitdefender noted: "We predicted that state-sponsored groups would start using criminal RaaS platforms, merging espionage with crime. This intentional blurring of threat actor categories helps state actors gain money and inflict great damage while ensuring plausible deniability."

The Supply Chain Blind Spot: Why MSP Compromises Are the Forgotten Threat

While cybersecurity discussions often focus on spectacular upstream software supply chain attacks (like SolarWinds or the 2025 NPM compromise affecting 2 billion weekly downloads), the Korean Leaks campaign exposes a more common but overlooked threat: downstream MSP compromise.

Bitdefender researchers emphasized: "The MSP compromise that triggered the 'Korean Leaks' operation highlights a critical blind spot in cybersecurity discussions. While supply chain attacks are a constant topic of discussion, the focus tends to be on upstream software supply chain compromise including the terrifying and high-impact risk of trojanized code or updates. While these attacks are undeniably catastrophic, they remain statistically rare."

In reality, MSP compromises offer ransomware operators:

• Immediate access to multiple organizations through existing remote management tools
• Privileged credentials for rapid lateral movement
• Clustered targets within specific industries or regions
• Existing trust relationships that delay detection

The 2025 cybersecurity landscape has validated this approach repeatedly:

• January 2025: Qilin affiliates phished ScreenConnect administrator, compromising MSP customers downstream
• April-May 2025: UK retailers (M&S, Co-op, Harrods) compromised through shared service provider relationships
• August 2025: Salesloft Drift OAuth breach affected 700+ organizations through third-party SaaS integration
• September 2025: Korean Leaks through GJTec compromise

Technical Analysis: The Qilin Ransomware Arsenal

Understanding the Korean Leaks requires examining the technical sophistication of the Qilin ransomware platform:

Core Capabilities

• Language: Written in Rust for memory safety and cross-platform efficiency
• Target Systems: Windows, Linux, and VMware ESXi environments
• Encryption: Hybrid scheme preventing decryption without cooperation
• Speed: Lightning-fast data exfiltration (Veeam servers compromised in ~2 hours)

Operational Features

• Automated network propagation
• Automated ransom negotiation panels
• DDoS attack capabilities
• Spam campaign functionality
• "Call Lawyer" feature for affiliates facing legal issues

2025 Exploit Arsenal

Qilin affiliates actively exploited:

• CVE-2024-21762 and CVE-2024-55591 (FortiGate appliances)
• CVE-2025-31324 (SAP NetWeaver Visual Composer, zero-day)
• Various VPN and RMM platform vulnerabilities

The Financial and Geopolitical Stakes

The Korean Leaks campaign transcends typical ransomware incidents due to its geopolitical dimensions and targeting of South Korea's financial infrastructure:

Immediate Impacts

• Compromised firms: 28+ asset management companies
• Data exposure: Tax documents, investor information, strategic plans
• Regulatory scrutiny: PIPC investigation and potential data protection violations
• Market confidence: Threats to "national financial crisis" created uncertainty

Strategic Implications

1. North Korean Revenue Generation: Ransomware operations fund nuclear weapons program
2. Economic Warfare: Attacks designed to destabilize South Korean financial markets
3. Technology Transfer: State actors gain insight into financial sector operations
4. Propaganda Value: Campaign framed as exposing Korean corruption

Regional Cybersecurity Crisis

South Korea's fragmented government response and shortage of cybersecurity talent (only 8.7% of surveyed companies acknowledge need for dedicated staff) have left the nation vulnerable despite being a global technology leader.

In September 2025, South Korea's National Security Office announced "comprehensive" cyber measures through an interagency plan led by the president's office, with regulators signaling legal changes giving government power to launch probes at first sign of hacking—even without company reports.

However, critics warn that centralizing all authority in a presidential "control tower" risks politicization and overreach. A better approach may balance central coordination with independent oversight and expert agency technical work.

Mitigation Strategies: Defending Against Hybrid State-Criminal Operations

The Korean Leaks campaign demands updated defensive strategies addressing both criminal ransomware and state-sponsored targeting:

Immediate Technical Controls

1. Multi-Factor Authentication (MFA): Enforce across all remote access points, especially VPN portals
2. Principle of Least Privilege (PoLP): Restrict access rights to minimum necessary
3. Network Segmentation: Isolate critical systems and sensitive data
4. Zero Trust Architecture: Implement verification for every access request

Supply Chain Risk Management

1. Vendor Security Assessments: Continuous monitoring beyond annual questionnaires
2. MSP Contract Reviews: Ensure clear security responsibilities and liability terms
3. Third-Party Access Auditing: Regular review of all external privileged access
4. Incident Response Coordination: Pre-established protocols with service providers

Detection and Response

1. Enhanced Monitoring: Focus on MSP and vendor access patterns
2. Threat Intelligence Integration: Track state-sponsored and criminal threat actors
3. Backup Strategy: Immutable, offline backup systems isolated from production
4. Incident Response Planning: Regular testing of comprehensive response plans

Strategic Considerations

1. Geopolitical Threat Modeling: Incorporate state-sponsored threat actors into risk assessments
2. Industry Collaboration: Share threat intelligence within financial sector
3. Regulatory Compliance: Prepare for evolving breach notification requirements
4. Executive Engagement: Board-level awareness of hybrid threats

The Future of Hybrid Cyber Warfare

The Korean Leaks campaign represents what cybersecurity experts predict will become the dominant threat paradigm: state-sponsored actors leveraging criminal infrastructure to achieve geopolitical objectives while maintaining plausible deniability.

Emerging Trends

1. Increased APT-RaaS Collaboration: More nation-state actors joining commercial ransomware operations
2. AI Integration: Both offensive (automated reconnaissance) and defensive (threat detection) capabilities
3. Critical Infrastructure Targeting: Financial services, healthcare, energy sectors face elevated risk
4. Supply Chain Focus: MSPs and third-party service providers become primary attack vectors

Policy Implications

The UK has already banned public sector ransomware payments, recognizing that funding criminal operations ultimately strengthens adversary capabilities. Similar policies may spread globally as governments grapple with the national security implications of ransomware funding state-sponsored operations.

International cooperation remains critical but faces challenges, as detailed in our analysis of 2025's global cybercrime crackdown:

• Attribution complexity when state and criminal actors collaborate
• Legal frameworks struggling to address hybrid threats
• Jurisdictional issues preventing effective law enforcement
• Geopolitical tensions limiting information sharing

Conclusion: A Watershed Moment in Cybersecurity

The Korean Leaks campaign marking September 2025 represents more than another successful ransomware operation. It demonstrates the dangerous convergence of:

• State-sponsored cyber operations seeking revenue and destabilization
• Sophisticated criminal ransomware infrastructure
• Supply chain vulnerabilities in critical sectors
• The weaponization of third-party trust relationships

For South Korea specifically, the attacks exposed critical weaknesses in cybersecurity infrastructure, vendor risk management, and coordinated government response. Despite being a global technology leader with blazing-fast internet and companies like Samsung and LG, the nation faces a cybersecurity reckoning.

For the broader international community, Korean Leaks validates predictions that the line between cybercrime and cyber warfare will continue blurring. When North Korean hackers can partner with Russian-based ransomware operations to attack South Korean financial firms through compromised MSPs—all while framing attacks as political activism—traditional attribution and response frameworks become inadequate.

The most troubling aspect: If a sophisticated state actor like Moonstone Sleet can successfully operate as a Qilin affiliate, how many other nation-state operations are hiding within seemingly criminal ransomware campaigns?

As organizations worldwide assess their third-party relationships and governments develop new cyber defense strategies, the Korean Leaks campaign serves as a stark reminder that in modern cyber warfare, the most dangerous attacks often come through the trusted partners we least suspect.

Related Reading

North Korean Cyber Operations

• North Korea's Global Cybercrime Empire: The World's Most Sophisticated Digital Mafia
• The Global Cybercrime Empire: Mapping the Underground Economy, Partnerships, and Geopolitical Power Structures
• The Immutable Threat: North Korea's EtherHiding Attack Marks a Dangerous New Era in Cyber Warfare

Qilin Ransomware Operations

• The Ransomware-as-a-Service Ecosystem in Late 2025: From LockBit's Disruption to the Rise of Qilin, Akira, and DragonForce
• Habib Bank AG Zurich Hit by Qilin Ransomware: 2.5TB of Sensitive Data Stolen in Major Banking Breach
• August 2025: A Month of Unprecedented Cyber Attacks and Data Breaches

Supply Chain Attacks

• When Trust Breaks: M&S Ends IT Service Desk Contract with TCS After £300M Cyber Attack
• Major Supply Chain Attack: Palo Alto Networks and Zscaler Hit by Salesloft Drift Breach
• The Great NPM Heist: How 2 Billion Weekly Downloads Were Weaponized in History's Largest JavaScript Supply Chain Attack

2025 Cyber Threat Landscape

• Global Cybersecurity Incident Review: January – April 2025
• Who's Been Getting Hacked? A Look at Major Cyberattacks in Late 2025
• Global Cybercrime Crackdown 2025: A Mid-Year Assessment of Major Arrests and Takedowns

For incident response assessments, vCISO services, or offensive security evaluations related to ransomware preparedness and supply chain security, visit CISO Marketplace