Qilin Ransomware Turned One Compromised MSP Into a Gateway to 28 Financial Firms

Between September and October 2025, a single compromised IT managed service provider (MSP) handed Qilin ransomware operators the keys to 28 South Korean financial institutions — all in under three weeks. The operation, dubbed "Korean Leaks," is not a regional anomaly. It is a precise blueprint for how the next large-scale attack on Saudi Arabia's financial sector could unfold, and why SAMA's third-party risk requirements are not bureaucratic overhead but operational survival.

The Korean Leaks Campaign: How One Vendor Opened 28 Doors

In September 2025, threat actors affiliated with the Qilin Ransomware-as-a-Service (RaaS) platform breached GJTec, a domestic South Korean MSP that managed servers and IT infrastructure for dozens of asset management and financial services firms. Rather than attacking each firm individually — a slow, resource-intensive approach — the attackers moved laterally through GJTec's privileged access and deployed ransomware payloads across client environments in three coordinated waves. The first wave on September 14 hit 10 institutions simultaneously. A second wave between September 17 and 19 added nine more victims. A third and final wave from September 28 to October 4 brought the total to 28 compromised organizations. Over two terabytes of sensitive data — more than one million files including client records, regulatory filings, and internal communications — were exfiltrated and published on Qilin's dark web leak site as part of a double-extortion strategy. Bitdefender's subsequent analysis linked the campaign to Moonstone Sleet, a North Korean state-affiliated actor operating as a Qilin affiliate, blending criminal ransomware motives with geopolitical objectives.

Qilin's Continued Escalation into 2026

The Korean Leaks campaign was not a one-off. Qilin entered 2026 as one of the most active ransomware groups globally, having claimed more than 1,000 victims on its leak site and adding 55 new victims in the first weeks of January alone. In March 2026, Qilin led ransomware activity across 30 active groups, conducting eight publicly disclosed attacks in a single month. The group's Rust-based payload offers highly configurable encryption, cross-platform targeting of Windows and Linux/ESXi environments, and sophisticated anti-analysis evasion. Its RaaS model means affiliates — ranging from criminal opportunists to state-sponsored actors — can execute attacks with minimal technical barriers, making Qilin a democratized tool for maximum-impact campaigns. The targeting of financial sector MSPs is no coincidence. A single MSP with privileged access to 20 or 30 clients offers a return on investment that individual attacks simply cannot match.

Why Saudi Financial Institutions Face Identical Exposure

Saudi Arabia's financial sector has undergone rapid digitization over the past five years, and with it a corresponding growth in third-party IT relationships — cloud infrastructure providers, core banking vendors, cybersecurity monitoring firms, and managed service providers that maintain privileged access to production systems around the clock. The same structural conditions that enabled Korean Leaks exist in the Kingdom today. Many financial institutions rely on shared MSPs with domain administrator credentials, VPN access, or remote desktop privileges into critical systems. If an MSP's own security posture is weak — unpatched VPN appliances, absence of phishing-resistant MFA, no network segmentation between clients — a single breach cascades across every institution it serves. Qilin actors have demonstrated a specific preference for this attack pattern, and Middle Eastern financial infrastructure is firmly within their operational scope. The financial motive is obvious, and the geopolitical dimension — given North Korean affiliates' active targeting of financial institutions globally — adds another layer of urgency for SAMA-regulated entities.

What SAMA CSCC Requires — and Where Gaps Typically Exist

The SAMA Cyber Security Framework (SAMA CSCC) contains explicit controls governing third-party and outsourcing risk. Under Domain 4 (Third-Party Cyber Security), regulated entities are required to assess the cybersecurity posture of all third parties with access to systems or data, enforce contractual security obligations, conduct periodic reviews, and ensure that vendor access is governed under the principle of least privilege. In practice, these controls are frequently implemented as checkbox exercises: a vendor questionnaire submitted once during onboarding, with no mechanism to verify the vendor's actual security posture or detect a breach on the vendor's side. The GJTec compromise was not detected by any of the 28 victim financial institutions before ransomware payloads detonated — it was detected only after data appeared on Qilin's leak site. A SAMA-compliant third-party risk program must go beyond self-attestation and include continuous monitoring, contractual incident notification obligations with defined response windows, and periodic penetration testing of vendor access pathways into the institution's network.

Practical Steps Saudi Banks Must Take Now

1. Map all privileged third-party access: Conduct a complete inventory of every MSP, vendor, and contractor with administrative, VPN, or remote desktop access to production environments. Many institutions discover access relationships that have persisted long after the original business need expired.
2. Enforce phishing-resistant MFA for all vendor access: Standard TOTP-based MFA is insufficient against adversary-in-the-middle attacks. Implement FIDO2 hardware keys or certificate-based authentication for all third-party remote access sessions. This alone would have significantly raised the cost of the GJTec campaign.
3. Segment vendor access by client: MSPs should never have flat-network access that can pivot between client environments. Network segmentation and jump server architectures with session recording are mandatory controls, not optional enhancements.
4. Require contractual breach notification within 2 hours: SAMA CSCC incident notification requirements apply to regulated entities, but those entities often have no contractual mechanism to compel their vendors to disclose breaches in time to contain them. Update vendor contracts to require immediate notification — within two hours — of any security incident that may affect the institution's systems or data.
5. Conduct threat-led penetration testing of vendor access paths: Commission red team exercises that specifically simulate an attacker who has compromised your MSP's credentials. Assess whether lateral movement from the vendor's access point can reach critical banking systems, and validate segmentation controls under adversarial conditions.
6. Establish a vendor security rating baseline: Deploy continuous security rating tools (SecurityScorecard, BitSight, or equivalent) to monitor the external attack surface of your top-tier vendors and receive automated alerts if a vendor's security posture deteriorates — potentially indicating a breach before the vendor itself acknowledges it.

Conclusion

The Korean Leaks campaign delivered a lesson that 28 South Korean financial institutions learned at significant cost: your attack surface does not end at your firewall — it extends to every vendor with a key to your network. Qilin is actively expanding its operational scope, its RaaS model lowers the barrier to entry for sophisticated attacks, and MSPs remain the most efficient attack vector for achieving maximum financial sector victims from a single initial compromise. Saudi banks operating under SAMA CSCC have the regulatory framework to address this risk — what many lack is the operational maturity to move beyond compliance documentation into genuine third-party risk management.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment, including a full review of your third-party access controls and vendor risk program against SAMA CSCC Domain 4 requirements.