On May 22, 2026, the ransomware group APT73/Bashe publicly claimed responsibility for a cyberattack against Tapu ve Kadastro Genel Müdürlüğü (TKGM), Turkey's General Directorate of Land Registry and Cadastre. The group posted an extortion notice on its leak site threatening to publish stolen data unless the agency engages in negotiations, escalating concerns about the security of one of Turkey's most sensitive civil registries.
What Happened
According to threat actor postings dated May 22, 2026, APT73/Bashe added TKGM (tkgm.gov.tr) to its public victim list, stating: "The full leak will be published soon, unless a company representative contacts us via the channels provided." The notice follows the group's standard double-extortion playbook, in which exfiltrated data is used as leverage even if encryption is unsuccessful or recoverable. TKGM has not, at the time of publication, issued a formal statement confirming the intrusion, but the listing on the leak site is consistent with prior confirmed APT73/Bashe operations against government and critical infrastructure targets.
What Was Taken
APT73/Bashe has not yet published sample files or specified the volume of data exfiltrated. However, TKGM is the central authority responsible for Turkey's national land registry and cadastral records, meaning the agency holds:
- Property ownership records and title deeds for the entire country
- Personally identifiable information (PII) of property owners, including national ID numbers, addresses, and family relationships
- Cadastral maps and geospatial data covering both civilian and potentially sensitive state-owned parcels
- Internal administrative correspondence and employee data
- Financial transaction records tied to property transfers and tax assessments
Any leak of these datasets would carry severe downstream risks, ranging from large-scale identity fraud to fraudulent property claims and targeted social engineering against Turkish citizens.
Why It Matters
A successful breach of a national land registry is a strategic event, not a routine ransomware incident. Land registry data underpins legal property rights, mortgage lending, and government revenue collection. Manipulation, exposure, or destruction of these records could trigger long-term legal disputes and erode public trust in the integrity of property ownership records. For defenders, this incident reinforces the trend of ransomware operators prioritizing sovereign data stores held by mid-tier government agencies, which often lack the hardened security posture of military or intelligence networks but hold equally consequential data. APT73/Bashe, widely assessed to be a rebrand or affiliate of the LockBit ecosystem, has demonstrated a continued appetite for high-impact public sector targets.
The Attack Technique
Initial access vectors for this specific intrusion have not been disclosed. APT73/Bashe's known tradecraft historically includes:
- Exploitation of unpatched edge devices, including VPN appliances and firewalls
- Use of valid credentials sourced from infostealer logs sold on underground markets
- Phishing campaigns delivering loaders such as SocGholish or IcedID as precursors to ransomware deployment
- Living-off-the-land techniques using PowerShell, PsExec, and Cobalt Strike for lateral movement
- Data staging via Rclone or MEGA prior to encryption
Defenders should assume any of these vectors are in play until incident response findings are released.
What Organizations Should Do
Government agencies and operators of sensitive civilian registries should treat this incident as a forcing function to revalidate their resilience posture:
- Audit all external-facing assets for unpatched CVEs, particularly in VPN concentrators, firewalls, and remote management appliances.
- Hunt for infostealer-derived credential exposure across employee and contractor accounts, and force resets where matches are found.
- Enforce phishing-resistant MFA on all administrative and remote access pathways, with no fallback to SMS or push approval.
- Validate that backups of critical registry databases are immutable, segmented from production identity infrastructure, and tested through full restore drills.
- Deploy network segmentation between record-keeping databases and general-purpose user environments to limit lateral movement.
- Engage qualified incident response counsel and forensic specialists in advance, so that the response playbook is operational before an event, not assembled during one.
Sources: APT73/Bashe Ransomware Attack on Turkey's TKGM - Malware News