The Qilin ransomware group has claimed responsibility for a significant supply-chain attack originating from a breach at a South Korean Managed Service Provider (MSP). This incident has resulted in the compromise of 28 downstream client companies, with their stolen data being published on a dedicated leak site named ‘Korean Leaks.’

Cybersecurity firm Group-IB first reported on the campaign, which began with the initial compromise of the unnamed MSP. By leveraging their access to the MSP’s systems, the Qilin threat actors were able to infiltrate the networks of its clients. The victims span various sectors, including manufacturing, construction, financial services, and professional services.

The ‘Korean Leaks’ Extortion Campaign

Following the breach, the Qilin group established a new Tor data leak site specifically for this campaign, titled ‘Korean Leaks.’ On this site, the attackers created individual pages for each of the 28 affected companies. The group used these pages to publish stolen data and apply pressure on the victims to pay a ransom.

The exposed data includes a wide range of sensitive corporate information. Leaked files contained financial documents, contracts, project details, employee records, internal emails, and other confidential business data. The creation of a dedicated, country-specific leak site represents a focused extortion tactic by the ransomware-as-a-service (RaaS) operation.

Attack Vector and Impact

The attack is a clear example of a supply-chain compromise, where a single breached service provider becomes a gateway to multiple other organizations. Qilin’s ability to pivot from the MSP to its clients demonstrates the inherent risks associated with third-party service providers who have privileged access to customer networks. The group has listed each of the 28 victims on its leak portal, publicly naming them as part of its multi-extortion strategy.

Source: https://thehackernews.com/2024/11/qilin-ransomware-breaches-south-korean.html