Executive Summary

On December 29, 2025, Korean Air disclosed a significant data breach affecting approximately 30,000 employee records, including names and bank account numbers. The breach originated from a cyberattack on KC&D Service, a former in-flight catering subsidiary of Korean Air that was sold to private equity firm Hahn & Company in 2020. According to official statements, no customer data was compromised, and the incident was limited to employee information. Korean Air responded by implementing emergency security measures, conducting a safety check on service integrations with KC&D, and voluntarily reporting the incident to relevant authorities. The company is working with KC&D to analyze the breach and prevent recurrence. This incident follows a similar breach at Asiana Airlines the previous week, highlighting an ongoing threat to the airline sector’s supply chain. All information in this summary is based on the official report published by Korea JoongAng Daily on December 29, 2025 (source).

Technical Information

The breach at Korean Air is part of a broader campaign targeting the aviation sector and its supply chain, with evidence pointing to the Clop ransomware group (also tracked as TA505/FIN11) as the likely threat actor. Public claims by Clop on dark web leak sites, as reported by multiple threat intelligence sources, indicate that the group is responsible for the attack on KC&D Service (Breachsense, DeXpose). This attribution is consistent with Clop’s 2025 campaign, which targeted aviation and supply chain organizations, including Envoy Air and other users of Oracle E-Business Suite (EBS) (Rescana, BleepingComputer).

The technical modus operandi of the 2025 Clop campaign involved exploitation of a critical zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882, CVSS 9.8). This vulnerability, located in the BI Publisher Integration component, allowed unauthenticated remote code execution (RCE). The exploit chain included server-side request forgery (SSRF) via crafted HTTP POST requests containing malicious XML, carriage return/line feed (CRLF) injection to manipulate HTTP headers, and request smuggling to an internet-exposed Oracle EBS application. Attackers then loaded a malicious XSLT template, which executed code on the server when previewed. This approach enabled the exfiltration of sensitive data without deploying commodity malware or ransomware payloads in some cases, although Clop is known for both data theft and encryption in other campaigns.

In the case of Korean Air, the breach was facilitated through a third-party vendor (KC&D Service), which had privileged access to employee data. The attack resulted in the compromise of approximately 30,000 employee records, specifically names and bank account numbers. No evidence has been published indicating that customer data or operational systems were affected. The breach was detected and reported internally on December 29, 2025, with emergency security measures enacted immediately upon discovery.

The MITRE ATT&CK framework mapping for this incident includes T1190 (Exploit Public-Facing Application) for initial access via the Oracle EBS zero-day, T1059 (Command and Scripting Interpreter) for code execution through malicious XSLT templates, and T1041 (Exfiltration Over C2 Channel) for data theft. While Clop campaigns often involve T1486 (Data Encrypted for Impact) and T1490 (Inhibit System Recovery), there is no evidence of ransomware encryption in this specific incident. Persistence and defense evasion techniques commonly used by Clop—such as scheduled tasks and credential dumping—have not been explicitly documented for the Korean Air breach but are relevant to the group’s broader tactics (MITRE ATT&CK: Clop).

The 2025 Clop campaign began with dark web advertisements for the Oracle EBS zero-day in June, followed by active exploitation in July and August, and public extortion and leak threats in September and October. The group’s focus on third-party vendors and supply chain partners, such as KC&D Service, is consistent with broader ransomware trends in 2025, maximizing impact by targeting organizations with privileged access to sensitive data.

Evidence supporting this technical assessment includes public claims by Clop, sector and timing overlap with other confirmed victims, and detailed technical analysis of the exploit chain in related incidents. However, no direct technical artifacts (such as malware samples, hashes, or ransom notes) have been published for the Korean Air incident specifically. The confidence level for attribution to Clop is therefore medium, while the technical details of the exploit chain are assessed with high confidence based on corroborated evidence from the broader 2025 campaign.

Affected Versions & Timeline

The breach affected employee data managed by KC&D Service, a former subsidiary of Korean Air. The specific vulnerability exploited in related attacks is Oracle E-Business Suite CVE-2025-61882, a critical zero-day in the BI Publisher Integration component. The timeline of the incident is as follows: the breach was discovered and reported internally on December 29, 2025, with emergency security measures implemented immediately thereafter. The compromised data includes names and bank account numbers of approximately 30,000 employees. No customer data or operational systems were reported as affected. The incident follows a similar breach at Asiana Airlines the previous week, indicating a pattern of sector-specific targeting in late 2025 (Korea JoongAng Daily).

Threat Activity

The threat activity associated with this breach is attributed to the Clop ransomware group, which has a documented history of exploiting zero-day vulnerabilities in widely used enterprise software for large-scale data theft and extortion. In 2025, Clop targeted aviation and supply chain organizations by exploiting the Oracle E-Business Suite zero-day (CVE-2025-61882). The group’s tactics included SSRF, CRLF injection, and malicious XSLT templates to achieve remote code execution and data exfiltration. Public claims by Clop on dark web leak sites specifically mention the attack on KC&D Service and threaten to leak stolen data unless contacted by the victim organization (Breachsense, DeXpose). This approach is consistent with Clop’s broader campaign, which has impacted multiple airlines and supply chain partners in 2025.

The group’s focus on third-party vendors and supply chain partners increases the risk of indirect compromise for organizations with complex vendor relationships. The aviation sector remains a high-value target due to its critical infrastructure and the potential for operational disruption. While no evidence of ransomware encryption has been reported in the Korean Air incident, Clop is known for both data theft and encryption in other attacks. The group’s tactics, techniques, and procedures (TTPs) are well-documented and align with the MITRE ATT&CK framework as described above.

Mitigation & Workarounds

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Organizations using Oracle E-Business Suite must immediately apply all available security patches, especially for CVE-2025-61882, and review system logs for signs of exploitation. Internet-exposed Oracle EBS instances should be isolated or protected behind strong access controls and web application firewalls.

High: Conduct a comprehensive review of third-party vendor integrations, particularly those with access to sensitive employee or customer data. Require vendors to provide evidence of security controls and patch management practices. Implement strict least-privilege access for all third-party connections.

High: Monitor for indicators of compromise (IOCs) associated with the Clop ransomware group and related exploit activity. Establish robust incident response procedures for supply chain breaches, including rapid containment and notification protocols.

Medium: Enhance employee awareness and training regarding phishing, social engineering, and supply chain risks. Regularly test incident response plans with simulated supply chain breach scenarios.

Medium: Review and update data retention and minimization policies to limit the exposure of sensitive information in third-party systems.

Low: Engage in sector-wide information sharing with aviation and supply chain peers to stay informed about emerging threats and best practices.

References

https://koreajoongangdaily.joins.com/news/2025-12-29/business/industry/Data-breach-at-Korean-Air-leaks-30000-employee-records/2488168 https://www.breachsense.com/breaches/korean-air-c-d-service-data-breach/ https://www.dexpose.io/clop-ransomware-targets-korean-air-co-ltd/ https://www.rescana.com/post/envoy-air-data-breach-clop-ransomware-exploits-oracle-e-business-suite-zero-day-cve-2025-61882 https://www.bleepingcomputer.com/news/security/american-airlines-subsidiary-envoy-confirms-oracle-data-theft-attack/ https://attack.mitre.org/software/S0611/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with their vendors and supply chain partners. Our platform enables continuous visibility into vendor security posture, supports automated risk assessments, and facilitates rapid response to emerging threats. For questions about this incident or to discuss supply chain risk management strategies, contact us at ops@rescana.com.