Case Study: Korean Leaks Campaign Compromises 32 Financial Firms Through a Single MSP
Overview
In September 2025, the Qilin ransomware group conducted a coordinated campaign against South Korean financial institutions, leveraging a single domestic IT service provider as the entry point into 32 financial firms.
The operation, publicly branded "Korean Leaks," unfolded in three publication waves between September 14 and October 2025, with attackers framing the campaign as exposing financial fraud while extracting more than 2 terabytes of data and over one million files from victim organizations.
North Korean state actor Moonstone Sleet has been documented operating as a Qilin affiliate since February 2025. While direct attribution of the Korean Leaks campaign to Moonstone Sleet has not been publicly confirmed, the alignment of targets has led security researchers to identify the operation as a probable example of state-criminal hybridization in the ransomware ecosystem.
Attack Details
The common link among the 32 affected firms was a single domestic managed service provider, GJTec, responsible for managing IT systems and file servers for South Korean asset managers and other financial institutions.
Initial access was achieved through the compromise of the MSP itself. The attackers then leveraged the MSP's standing privileged access into client networks to move laterally, using valid credentials rather than breaching each institution independently.
Across all three waves, the attackers exfiltrated more than 1 million files and over 2 terabytes of data, releasing nearly 300 photos of compromised documents.
Impact on Financial Services
The campaign triggered direct regulatory action. South Korea's Personal Information Protection Commission (PIPC) opened an investigation after receiving multiple breach reports.
Within the same month, South Korea's National Security Office announced comprehensive interagency cyber measures, including proposed legal changes that would allow regulators to initiate breach investigations at the first sign of compromise, without requiring victim company disclosures.
Lessons Learned
Identity-layer controls limit cascade impact
When initial access through an MSP is achieved, downstream propagation depends almost entirely on the credentials and access controls between the MSP and each client environment. Korean Leaks succeeded because the MSP held standing privileged access to client systems, and that access was inherited by the attackers once the MSP itself was compromised.
The lesson is general: any vendor whose access remains privileged and persistent represents a similar exposure for the institutions it serves.
Vendor risk has crossed a threshold
Vendor risk has crossed a threshold. What was once treated as a question of individual due diligence is now a sector-level and, in cases like Korean Leaks, a near-national exposure.
When vendor concentration reaches the levels visible in modern financial ecosystems, vendor risk becomes a sectoral and regulatory matter, not just a corporate one.
Knowing vendors are vulnerable is one thing. Understanding where and how is another.
The next section maps the specific control failures that define finance’s vendor risk landscape.