top of page
Buscar

The Heist at the Financial Vault

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • 27 nov 2025
  • 3 Min. de lectura

A single compromise of the South Korean financial MSP GJTec allowed Qilin ransomware operators to breach 28 financial organizations at once, turning a single intrusion into a nationwide cascade attack. This operation, tracked as Korean Leaks, combines a major Russian-speaking RaaS group (Qilin) with possible involvement from North Korean Moonstone Sleet, stealing over 2 TB and more than 1 million sensitive financial files. South Korea jumped from an average of 2 ransomware victims per month to 25 in September, becoming the second most targeted country globally.


Phase 1 — Surveillance Outside the Vault


Before breaking in, the attackers observed where South Korea’s financial sector was most dependent: its managed service provider infrastructure. An MSP compromise is a powerful multiplicator: one breach grants keys to dozens of clients that rely on outsourced management for remote monitoring, software updates, and privileged administration.

Qilin’s growth made the case more alarming:

  • 29% of all ransomware attacks attributed to Qilin

  • 180+ new victims in October alone

This sudden spike in South Korean victims prompted deeper investigation — and exposed a coordinated supply-chain heist.


Phase 2 — The Break-In


The entry vector was spear-phishing GJTec administrators to steal:

  • Privileged MSP credentials

  • Multi-factor authentication linked to their RMM tool

With this admin-level access, the attackers:

  1. Took over the MSP itself

  2. Pivoted into downstream financial clients

  3. Mass-deployed Qilin ransomware simultaneously

The result:

  • 28 financial firms encrypted

  • Over 2 TB and 1,000,000 financial records stolen

  • Three publishing waves on the Korean Leaks leak site Framed as exposing:

    • “stock market manipulation evidence”

    • political and business corruption

Later communications shifted to pure extortion, consistent with Qilin’s typical financially motivated operations.


Phase 3 — Inside the Safety Deposit Boxes


Once inside, the attackers quietly exfiltrated large volumes of sensitive financial data before triggering encryption. The ransomware group even claimed the involvement of an “in-house team of journalists” shaping propaganda-heavy announcements to pressure victims and destabilize South Korea’s financial market.

The operation demonstrates:

  • The blend of political narrative and financial extortion

  • The rising effectiveness of MSP supply-chain attacks

  • The increasing collaboration between ransomware affiliates and nation-state units

Moonstone Sleet has previously deployed custom ransomware (FakePenny) against defense targets, adding geopolitical interest to this case.


Phase 4 — Clearing the Escape Route


After encryption and exfiltration, the intruders attempted to monetize both:

  • Direct ransom

  • Threat of public leaks

  • Market destabilization narratives

The inclusion of four later-removed victims suggests:

  • Payment was made or

  • A different internal negotiation policy


Measures to Fend Off the Heist


Organizations — especially financial institutions relying on MSPs — must:

  • Harden and continuously verify MSP identity access controls

  • Enforce multi-factor authentication and phishing-resistant credentials

  • Apply least privilege in remote management tools

  • Segment critical workloads away from MSP administrative access

  • Require MSPs to implement immutable, segregated backups

  • Continuously monitor RMM activity and lateral movement

  • Conduct joint ransomware response drills with MSP vendors

  • Review supply-chain risk posture regularly and contractually


The Korean Leaks operation underscores how a single weak link in a managed service provider can instantly become a systemic financial crisis. Qilin and its affiliates demonstrated that ransomware is no longer a one-victim game — it’s a multiplier attack where compromising one trusted provider gives attackers a fast lane into dozens of high-value companies. The campaign’s mix of criminal extortion and geopolitical messaging highlights the blurred line between cybercrime and nation-aligned operations. Ultimately, the breach exposes a critical truth: third-party access must be treated with the same rigor as internal access, or one partner’s compromise can become everyone’s catastrophe.



The Hacker News


 
 
 

Comentarios

bottom of page