Prayukth KV
October 22, 2025
Decoding the Asahi brewery ransomware attack
Asahi Group Holdings, Ltd. one of Japan’s top beer manufacturers had announced separately on September 29 and October 3 that its systems were experiencing disruption due to a ransomware attack. Subsequently, the company halted production and conducted an investigation to determine the root cause of the incident and to identify the systems impacted. The company has now resumed production and starting October 15th, Asahi Brewery also commenced partial shipments of various products including Asahi Draft Beer and Asahi Dry Zero.
Read our analysis of the Jaguar Land Rover incident here.
To understand the attack on Asahi Group, we have to first understand the TTP of the Qilin ransomware group, the threat actor behind the incident. In a message posted on its website late evening on 7th of October, Russia-based Qilin claimed responsibility for the breach. This was just a week after the attack was reported. Qilin has become a major threat actor in the last few years accounting for as much as 48 percent of breaches reported in the last two years. The group has taken over the affiliate networks of defunct threat actors. It also works in close coordination with a known APT group based in the same region.
Qilin group TTP
Active since: 2021/22
Origin: Russia
Operational model: RaaS
Key strengths:
· Ability to carry out custom attacks on an industrial scale
· Underground links to North Korean threat actors who help in both modifying the malware as well as carry out secondary attacks and stolen data sale
· Qilin runs one of the largest ransomware affiliate networks in the world. This enables faster transfer and sale of stolen data and access
· Access to secondary markets for procuring stolen access credentials
· Insistence on validation of stolen credentials before commencing the actual attack
· The group sets aside a big chunk of ransom for its affiliates
· Use of data leaks to attract and recruit affiliates. This is the only group that is known to give away stolen data to potential affiliates for free (sometimes)
A typical attack begins with a phishing email crafted cleverly to appear to emerge from a managed services provider. The e-mail is sent at a time when the target employees would be busy and not able to afford enough attention. The email spoofs an authentication alert asking employees to re-enter their log in credentials as part of an ongoing systems upgrade.
Once the employee clicks the link, they are redirected to a spoof website that appears genuine in every possible way. Once an employee enters their credentials on the spoof site, a multi-factor authentication is triggered through a one-time password (OTP). Once this is entered in the spoof site, the intrusion succeeds with the attacker getting credential based access to the network and additional systems.
The group is known to do extensive research and data ex-filtration on:
· Active vendor directory to identify all major vendors who are offering app or portal-based access to services
· Mapping admins and super admins to such applications in order to target them
· The group operates with plenty of diligence in terms of both identifying the target and the messaging
Once the threat actor gains access, a series of steps are triggered in the following sequence:
· Installing a remote desktop access application
· Multi-stage reconnaissance on target networks
· Exploiting CVEs
· Targeting backups for exfiltration
· Multi-loader based Ransomware deployment and publicly naming the victim
· Using pressure tactics to get the victim to pay ransom
· Sale of exfiltrated data
How did the cyber attack on Asahi Brewery happen?
We have no reason to believe that the threat actor would have chosen another path to data and ransomware deployment than the above in case of the Asahi brewery ransomware attack. The threat actor possibly gained access through a spoofed website that was sent on mail or embedded in a document shared possibly via a social media platform. Once the threat actor gained access, the linear movement was initiated with the threat actor netting more credentials via the ransomware through privilege escalation. The attack targeted financial and human resource departments specifically.
Qilin group exfiltrated almost 27.3 GB of data (over 9673 documents) spread across disparate systems including HR documents (including a set of confidential employee assessments), financial documents including legal information and internal notes, contracts and internal team specific operational records. The group went after confidential reports and information of specific interest to investors and regulators in order to put more pressure on the Asahi Group Holdings to pay the ransom.
The threat actor also targeted multiple back-ups and the extent of the attack can be gauged by the fact that even the order booking system was down as late as last week and the company had to resort to taking orders via fax and documenting orders using pen and paper. At the time of writing this report, another Japanese company in the real estate sector was also attacked by Qilin. It is possible that both these events were coordinated through a known local affiliate of Qilin based in North Korea (this group has deep ties with North Korea).
The malware deployed in the attack was NETXLOADER, a stealthy malware that rides on a .NET based malware loader. This loader can be used to execute multiple payloads and that explains why various departments within Asahi Brewery were breached. Further, phased execution also ensured a very high degree of stealth and the loader and the malware executed could have remained undetected for a fair amount of time.
Once the attack was successful, Qilin asked Asahi Brewery to join an encrypted chat to initiate negotiations.
How can incidents like the Asahi Brewery cyberattack be prevented?
· Monitor the Dark Web and other credential selling domains for any information linked to your infrastructure. Change your passwords as soon as you finish reading this document.
· Pay more attention to VPNs and other remote access means. Check if they are hardened enough.
· Employees should be encouraged to report all instances of phishing and vishing. Early detection of such attempts can help identify a potential disclosure of credentials or at the very least
· The logical place to (usually) start is employee sensitization. It is essential to ensure that employees are aware of the TTPs of threat actors like Qilin so that they do not fall for the techniques used by them.
· Building adequate segmentation between networks enables faster containment of threats
· Turn off systems and applications that are not in use.
For a more detailed plan of action, reach out to our Incident Response Readiness assessment team here.
Download the detailed report on the Asahi Brewery incident.
Download our SecOps Guide: ISA/IEC 62443 Compliance Strategy and Checklist here.
Get a free copy of Shieldworkz OT Cybersecurity Policy Template here
Get Weekly
Resources & News
You may also like
Dec 10, 2025
Securing OT telemetry in 2026
Prayukth KV
Dec 9, 2025
Integrating IEC 62443 into OT security governance
Prayukth KV
Dec 8, 2025
NSA joins CISA, and others to offer guidance on integrating AI in Operational Technology
Prayukth KV
Dec 5, 2025
From IT to OT: Translating the New NIST CSF 2.0 Categories into Industrial Security Controls
Team Shieldworkz
Dec 2, 2025
OT Incident Response Goals for 2026
Prayukth KV
Dec 1, 2025
OT Security training goals and priorities for 2026
Prayukth KV
