The Blacknevas ransomware group has claimed a prolonged intrusion into MST, the Turkish industrial conglomerate operating Sanko Makina and ASKO Holding, which holds ties to Turkey's defense manufacturing sector. According to cybersecurity monitoring channels that first surfaced the incident, the attackers maintained persistent access for approximately seven months before exfiltrating sensitive data and issuing a ransom demand of 15 Bitcoin, worth several hundred thousand dollars at current market rates.
What Happened
Blacknevas operators quietly established and maintained a foothold inside MST's environment for roughly seven months, conducting reconnaissance and staged data exfiltration without triggering detection. The group surfaced publicly only after the theft was complete, posting MST to its leak infrastructure and demanding 15 BTC for non-disclosure. The dwell time alone places this incident in the upper tier of industrial intrusions disclosed this year and points to a deliberate, intelligence-driven campaign rather than an opportunistic smash-and-grab.
What Was Taken
Blacknevas claims to have exfiltrated a substantial volume of internal MST data during the seven-month operation. Given MST's role in Turkey's defense supply chain through Sanko Makina and ASKO Holding, the likely categories of stolen material include engineering documentation, manufacturing process data, supplier and procurement records, contract paperwork tied to defense customers, and internal correspondence. The exact dataset size has not been publicly disclosed, but the actor's confidence in pricing the extortion at 15 BTC suggests material with operational or intellectual property value beyond standard corporate records.
Why It Matters
Defense-adjacent manufacturers sit at a sensitive intersection of commercial intellectual property and national security interests. A successful seven-month residency inside such an organization gives an attacker the time to map supply chain relationships, harvest engineering data, and identify downstream targets among customers and partners. Even if the immediate motive is extortion, the stolen data itself becomes a strategic asset that can be resold, repurposed for espionage, or weaponized against the broader defense ecosystem. For Turkey specifically, the breach touches on geopolitically sensitive ground at a time when its defense industry is expanding exports.
The Attack Technique
Public reporting on the initial access vector is limited, but the operational profile is consistent with Blacknevas's documented tradecraft: gain a foothold through phishing or exposed perimeter services, escalate privileges, deploy living-off-the-land tooling for lateral movement, and stage data exfiltration over weeks or months before any encryption or extortion event. The seven-month dwell time strongly suggests gaps in endpoint detection, network segmentation, and egress monitoring. The absence of an early alarm despite sustained command and control activity points to either insufficient logging coverage or alert fatigue inside the SOC.
What Organizations Should Do
- Hunt for long-dwell intrusions specifically. Assume detection tooling has missed something and run threat hunts targeting indicators of persistent access, including anomalous scheduled tasks, unusual service accounts, and outbound traffic to low-reputation infrastructure over extended windows.
- Tighten egress monitoring and DLP. Seven months of staged exfiltration is only possible when outbound data flows are not baselined; enforce egress filtering and alert on volumetric anomalies to known and unknown destinations.
- Segment OT and engineering environments from corporate IT. Defense manufacturers must keep design and production networks isolated, with strictly brokered access and independent monitoring.
- Enforce phishing-resistant MFA across all remote access. Eliminate SMS and push-only MFA on VPN, VDI, and email; require FIDO2 or certificate-based authentication for any externally reachable identity.
- Audit third-party and supplier connections. Defense supply chain breaches frequently pivot through trusted partners; review every vendor tunnel, jump host, and federated identity for least privilege.
- Rehearse extortion-only scenarios. Tabletop exercises that assume data theft without encryption, including legal, communications, and law enforcement coordination, should be standard for any organization holding defense-relevant information.