South Korea’s financial industry hit in large-scale attack linked to Russian and North Korean hackers

South Korea’s financial industry was struck by a coordinated supply chain attack linked to Russian and North Korean threat actors, which resulted in the deployment of Qilin ransomware and the theft of sensitive data, cybersecurity firm Bitdefender confirmed.

When compiling research for its Threat Debrief October report, Bitdefender said it started investigating the campaign after noticing an unusual surge in ransomware incidents in South Korea in September. 

The country recorded 25 attacks that month, a profound difference from the monthly average of only two cases recorded between September 2024 and August this year. 

South Korea targeted in Qilin ransomware attacks

According to Bitdefender’s report published last Monday, South Korea has become the second-most affected country by ransomware this year, trailing the United States only. In about 33 cases, the software security firm identified, 25 cases were attributed to the Qilin ransomware group, and 24 of the compromised entities were within the financial industry. 

“This operation combined the capabilities of a major Ransomware-as-a-Service (RaaS) group, Qilin, with potential involvement from North Korean state-affiliated actors (Moonstone Sleet), leveraging Managed Service Provider (MSP) compromise as the initial access vector,” the report read.

Qilin is one of the most active ransomware groups this year, operating under a Ransomware-as-a-Service model and claiming more than 180 victims in October alone. According to threat intelligence from NCC Group, the operation is responsible for 29% of all ransomware attacks globally.

Although the group’s name comes from a Chinese mythological creature, Bitdefender believes Qilin has Russian roots. Its investigation found one of its founding members “BianLian” communicates in Russian and English and is highly active on Russian-speaking cybercrime forums. 

The group also avoids attacking organizations in the Commonwealth of Independent States, a common rule among ransomware operations based in Russia.

Qilin recruits hackers to carry out its attacks while the core operators take a share of the illicit profits. The group also boasts of having “an in-house team of journalists” to help affiliates craft extortion messages and posts for its data leak platform.

According to Bitdefender’s analysis on the Korean Leaks campaign, the hackers posed as “activists” and “patriots” by using political language to produce propaganda-style messages, and targeted the entire country’s financial industry. 

In one case from August 20 involving a construction company, the attackers warned that the stolen data had “military intelligence value.” The message claimed that plans and drawings for hundreds of completed projects, including bridges and liquefied natural gas tanks, were now publicly accessible. 

“A report on what was found in these documents is already being prepared for Comrade Kim Jong-un,” one of the leaked discussions in Qilin forums read, insinuating that hackers were sharing info with North Korea’s group leadership.

Qilin steals data totaling 2TB in three waves

The Korean Leaks operation, according to Bitdefender, unfolded in three waves that resulted in the theft of more than 1 million files and 2TB of data from 28 known victims. Posts linked to four additional entities were later removed from the data leak site, which could have been as a result of ransom payments or internal decisions by the operators.

The first wave was published on September 14 and included 10 victims from the financial management sector. The second wave followed between September 17 and September 19, adding nine more cases, while the third was released between September 28 and October 4, targeting another nine organizations. 

“We have data on dozens of companies. The Korean Leak is a reason to withdraw money from the country’s stock market, because we have a volume of data whose publication will definitely deal a serious blow to the entire Korean market. And we will definitely do it,” read one threat from the hackers during the second wave.

Bitdefender said the attackers framed the campaign as an effort to expose corruption, including threats to release documents that could be “evidence of stock market manipulation” and names of “well-known politicians and businessmen in Korea.”

On September 23, the Korean news publication JoongAng Daily reported that more than 20 asset management companies had been infected with ransomware after the breach of a service provider called GJTec.

Don’t just read crypto news. Understand it. Subscribe to our newsletter. It's free.