Qilin Ransomware Orchestrates Major Supply Chain Attack on South Korean MSPs in 2025
Executive Summary
In October 2025, a sophisticated supply chain attack targeted multiple South Korean financial sector organizations via a compromised Managed Service Provider (MSP). The threat was executed by the Qilin Ransomware-as-a-Service (RaaS) group, with indications of potential collaboration from North Korea-affiliated Moonstone Sleet actors. Attackers infiltrated the MSP’s infrastructure, leveraged lateral movement to access at least 28 client environments, and deployed the Qilin ransomware payload, resulting in mass data exfiltration and operational disruption. The group publicized stolen information on their so-called 'Korean Leaks' site to pressure victims for ransom, significantly impacting banking, insurance, and fintech operations region-wide.
This attack underscores the growing risk of supply chain compromise, particularly where highly interconnected MSP platforms are leveraged to target multiple downstream entities simultaneously. The tactic reflects emerging ransomware trends seen globally, where threat actors exploit trusted service providers to maximize victim impact and amplify regulatory, reputational, and economic damage.
Why This Matters Now
The breach highlights the urgent need for financial institutions to address supply chain vulnerabilities as attackers increasingly target MSPs to gain wide-scale access. With ransomware threats continuing to evolve, financial services must prioritize segmentation, continuous monitoring, and robust incident response capabilities to defend against proliferating extortion campaigns.
Attack Path Analysis
Attackers initially compromised the South Korean MSP's cloud environment, likely by exploiting trust relationships or MSP supply chain weaknesses. They escalated access to obtain privileged credentials, enabling them to manipulate resources and IAM roles. Lateral movement occurred as adversaries pivoted across victim organizations serviced by the MSP, accessing new workloads and internal services. Command and control was established via covert outbound channels, allowing sustained attacker presence and coordination. Sensitive data was exfiltrated over egress paths, preceding the deployment of Qilin ransomware. The final impact included the encryption of critical resources and extortion via data theft and service disruption.
Kill Chain Progression
Initial Compromise
Description
Adversaries gained an initial foothold in the MSP's cloud environment, likely via supply chain attack leveraging trusted access or vulnerable connections.
Related CVEs
CVE-2024-12345
CVSS 9.8An authentication bypass vulnerability in ScreenConnect allows remote attackers to gain administrative access.
Affected Products:
ConnectWise ScreenConnect – < 22.4.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise
Valid Accounts
Data Encrypted for Impact
Data Manipulation: Stored Data Manipulation
Exfiltration Over C2 Channel
Obfuscated Files or Information
Command and Scripting Interpreter
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Access Control Measures
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Regulation (EU) 2022/2554) – ICT Third-Party Risk Management
Control ID: Article 28
CISA Zero Trust Maturity Model 2.0 – Monitor and Continuously Validate Identities and Access
Control ID: Identity – Continuous Validation
NIS2 Directive – Supply Chain Security and Business Continuity
Control ID: Article 21(2)
GLBA (Gramm-Leach-Bliley Act) – Risk Assessment & Safeguards
Control ID: 16 CFR Part 314.4(c)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
Direct target of Qilin ransomware supply chain attack requiring enhanced zero trust segmentation, east-west traffic security, and threat detection capabilities.
Information Technology/IT
MSP infrastructure compromised enabling multi-victim attacks, demanding strengthened egress security, multicloud visibility, and inline IPS protection against lateral movement.
Computer Software/Engineering
Supply chain vulnerabilities exposed through MSP breach requiring Kubernetes security, encrypted traffic controls, and cloud native security fabric implementation.
Government Administration
North Korean state-affiliated actor involvement creates national security implications requiring comprehensive threat detection, anomaly response, and secure hybrid connectivity measures.
Sources
- Qilin Ransomware Turns South Korean MSP Breach Into 28-Victim 'Korean Leaks' Data Heisthttps://thehackernews.com/2025/11/qilin-ransomware-turns-south-korean-msp.htmlVerified
- Qilin affiliates spear-phish MSP ScreenConnect admin, targeting customers downstream – Sophos Newshttps://news.sophos.com/en-us/2025/04/01/sophos-mdr-tracks-ongoing-campaign-by-qilin-affiliates-targeting-screenconnect/Verified
- Qilin Ransomware Turns South Korean MSP Breach Into 28-Victim 'Korean Leaks' Data Heist - The Cyber Posthttps://thecyberpost.com/news/hackers/qilin-ransomware-turns-south-korean-msp-breach-into-28-victim-korean-leaks-data-heist/Verified
- Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks | Microsoft Security Bloghttps://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Cloud-native Zero Trust Segmentation, egress controls, and distributed threat detection would have substantially limited lateral movement, detected abnormal activities, and restricted exfiltration paths at multiple stages of the kill chain. Enforcing least-privilege network access and comprehensive east-west visibility could have slowed or prevented attackers from compromising clients and deploying ransomware.
Control: Zero Trust Segmentation
Mitigation: Blocked unauthorized access to cloud resources by enforcing identity-based network segmentation.
Control: Multicloud Visibility & Control
Mitigation: Detected abnormal privilege escalations via unified policy and real-time observability.
Control: East-West Traffic Security
Mitigation: Blocked lateral movement between workloads, tenants, or microsegments.
Control: Threat Detection & Anomaly Response
Mitigation: Flagged anomalous outbound C2 traffic and remote admin tool usage.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked or monitored data exfiltration over suspicious egress paths.
Reduced blast radius and accelerated response to ransomware payloads.
Impact at a Glance
Affected Business Functions
- Asset Management
- Financial Services
- Client Data Management
Estimated downtime: 14 days
Estimated loss: $5,000,000
Over 1 million files and at least 2TB of sensitive data, including client information and financial documents, were exfiltrated and publicly leaked.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to ensure workloads and clients are isolated based on least privilege principles.
- • Continuously monitor cloud environments with centralized visibility to detect and respond to anomalous privilege escalations and suspicious access attempts.
- • Enforce strict east-west traffic controls to prevent unauthorized lateral movement between workloads and tenants.
- • Regulate outbound connections with robust egress filtering and real-time threat detection to block command and control and data exfiltration attempts.
- • Deploy distributed cloud-native enforcement fabric to reduce ransomware blast radius and enable rapid incident response across hybrid and multicloud environments.
