Over the past two years, cyberattacks targeting the mining and metals sector have surged—mirroring an increasingly fraught geopolitical landscape in which dueling superpowers, namely the U.S. and China, have elevated critical mineral supply-chain resilience to a top national security priority.
Summary
Over the past two years, cyberattacks against the mining and metals sector have sharply increased, driven by rapid digital transformation and intensifying geopolitical competition between the U.S. and China. The accelerated adoption of new technologies has expanded the attack surface, connecting previously segregated IT and OT networks and exposing operational systems to targeted threats. The resilience of critical mineral supply chains has become a top national security priority, especially in light of global supply disruptions stemming from the COVID-19 pandemic. As mining organizations embrace digital innovation, they must address evolving cyber-physical risks while navigating heightened geopolitical tensions.
Another driver for the growing susceptibility of mining organizations to cyberattacks is the rapid pace of digital transformation, including the sector-wide adoption of cloud computing, AI, process monitoring and automation, and Industrial Internet of Things (IIoT) technologies.
The frenetic deployment of these Fourth Industrial Revolution (4IR) technologies has created a plethora of new gateways linking previously segregated IT and OT networks, enabling threat actors with an exponentially expanded attack surface for digital exploitation and potential cyber-physical destruction.
Unlike IT systems focused on data storage and confidentiality, the Intelligent Miner trade publication notes that “OT systems prioritise physical safety and equipment availability.”
In this geopolitically inflamed threat landscape, research consultants Farmonaut project that “over 60% of mining operations will face targeted cyberattacks on their OT-IT integrated systems” this year.
Mining and Metals ISAC (MM-ISAC), the industry’s premiere threat-intelligence-sharing consortium, reported last year that cyberattacks targeting the sector claimed 30 victims in 2024, up from just 10 the previous year. In an interview with trade publication Mining Technology, an MM-ISAC representative also warned that “there is a massive under-reporting in cyber incidents” across the industry.
The MM-ISAC representative also estimated that 80% of attacks targeting the sector were likely financially motivated. A prime example of this attack trend is the reported business email compromise (BEC) attack that swindled a publicly traded U.S.-based, critical mineral-focused mining victim out of $500,000 in February of this year.
In this case, Security Week reported that “hackers likely used their access to the company’s emails to send legitimate-looking messages designed to convince the recipient to redirect payments to or from a vendor” to a scammer-controlled bank account. That is to say attackers had compromised a high-authority employee’s enterprise credentials and email account for at least a period of weeks, if not months, before executing their invoice fraud.
Regardless, it should be noted that nation-state actors often mask their cyberespionage activities under the guise of misleading motives like hacktivism and financially motivated cybercrime. Dovetailing with MM-ISAC’s research, one OT security vendor conducted a survey at the end of last year where cybersecurity leaders in the mining and metals sector provided detailed insights about the various impacts of cyberattacks on their organizations.
Capital and Operational Impacts
One key finding from this survey is that “nearly 70% of respondents reported a financial loss of $100,000 or more. And, over 30% reported a loss of $1,000,000 or more.” Additionally, 43% of survey respondents said they faced “ransomware demands of $1,000,000 or more to recover access to encrypted systems and files in order to resume operations.”
Some notable ransomware attacks that have struck the ransomware sector in recent years are BlackBasta’s breach of Canadian miner Alamos Gold in June 2023, BianLian’s breach of Australian miner Northern Minerals in June 2024, and an unidentified group that extorted Australian miner Evolution Mining in August 2024.
Furthermore, the most common adverse operational impacts of malicious cyberattacks in the mining and metals sector were “loss of customer or partner relationships (30%), public safety (28%), and production shutdown (26%),” according to the survey.
Notably, the survey found that, in 2024, 76% of respondents disclosed that “one or more cyber attack – and nearly half (41%) said five or more attacks – originated from third-party supplier access” to the cyber-physical systems (CPS) environment. The CPS environment consists of OT, Internet of Things (IoT) devices, and building management systems (BMS), according to the survey.
Digital Transformation Amplifies Supply-Chain Risks
More broadly, the last finding highlights the growing risk posed by third-party suppliers. This trend is particularly alarming given the accelerated rate of technology vendor onboarding in the mining and metals sector, as operators pursue vast digital transformation initiatives with unprecedented urgency.
Specifically, mining enterprises are increasingly partnering with cloud providers, robotics companies, process automation specialists, AI vendors, remote-access control vendors, and other technology suppliers as part of a sweeping push to enhance their operational efficiencies.
As noted by Farmonaut, 70% of mining organizations are projected to fully adopt cloud computing this year. Farmonaut noted that the “mining sector has begun embracing digital transformation, a process spurred by advancements in cloud technology and the evolving complexities of operational management.”
Specifically, Farmonaut noted that “modern mining operations generate colossal volumes of data from various sources,” such as geological surveys and drilling, machinery and equipment sensors, environmental sensors, and real-time monitoring systems.” By embracing cloud transformation, Farmonaut estimates that miners can “reduce data processing times by up to 50%, accelerating decision-making and resource allocation.”
However, many mining organizations plunging headfirst into digital transformation engagements are in peril of prioritizing instant operational gratification at the expense of practical governance and cybersecurity risk management.
This growing 4IR tech vendor sprawl vastly expands the attack surface across mining and metals organizations. Farmonaut notes that “company-wide cybersecurity standards are hard to enforce across” this mushrooming vendor ecosystem. The intensifying great power competition between the U.S. and China also significantly increases cyber risks for mining organizations, particularly those focused on critical mineral extraction.
Rising Geopolitical Stakes
In the midst of this escalating rivalry that threatens to disrupt the long-held, U.S.-led unipolar world order, critical mineral supply chains have emerged as an urgent national security priority for both America and China.
So-called rare Earth elements (REEs) and other critical minerals are key building blocks in consumer technologies like smartphones and laptops, fighter jets and defense systems, renewable energy architectures, and more.
In essence, critical minerals lie at the intersection of national security, economic policy, technological transformation, and climate strategy. Their importance has only increased as geopolitical tensions, rapid technological change, and the global energy transition converge.
In this backdrop, U.S. policy makers have been galvanized to develop more secure and self-reliant supply chains for the 50 critical minerals and the subset of 17 REEs, which the U.S. Geological Survey (USGS) has deemed “essential to the economy and national security of the Nation,” according to a recent blog post they authored. Concurrently, the USGS’ critical designation of these minerals is informed by how vulnerable their supply chains are to disruption.
Concerns about the resilience of critical mineral supply chains stem from the global trade shocks that first surfaced during the COVID-19 pandemic in 2020. This global public health crisis also sparked severe shortages of raw materials, intermediate goods, and finished products.
For U.S. policymakers, the pandemic inspired a whole-of-government mobilization to rethink how supply chains are structured not just for efficiency, but for strategic security and agility in the face of global shocks.
This concern is wholly merited, considering that “China controls 58 percent of global production of light rare earths and 90 percent of heavy rare earths,” according to the Hudson Institute think tank.
Meanwhile, Hudson researchers noted that the “remaining 10 percent of heavy rare earths are produced in Myanmar, a pariah state that is closely aligned with China” — and “even more importantly, China oversees 90 percent of rare earth processing from ores and accounts for more than 80 percent of the market for rare earth magnets.”
As Western policymakers ideate strategic initiatives to undermine Chinese hegemony over critical minerals, the unusually elevated cyberattack wave that targeted global mining and metals organizations in the Summer of 2024 helps frame the growing climate of suspicion and distrust.
In addition to the ransomware attacks that struck Australian mining organizations Evolution and Northern Minerals that Summer, fellow Aussie miner Iluka Resources also suffered a denial of service (DoS) attack in June 2024.
While the publicly unidentified attackers failed to gain access to Iluka’s systems, Cyberdaily.au noted that the “attack came just as Iluka Resources managing director Tom O’Leary called out China, claiming the country was rigging the prices of rare-earth metals to minimise the profits made by producers and gain a greater foothold on the world’s mineral resources.”
Cyberdaily.au quoted O’Leary as saying that price-rigging was “taking place via a number of binding offtake agreements with various companies, and via ownership, as in the well-documented case of Northern Minerals.”
O’Learly also alleged that “Chinese state-owned entities were making attempts to control mineral deposits and rare-metal production in Australia, specifically Victoria and Western Australia,” according to the news outlet.
Recent Dark Web Activity
Over the last year, InfraShield’s cyber-threat intelligence (CTI) analysts have observed numerous Dark Web listings advertising leaked databases and access credentials targeting mining and metals organizations. Below are some of the most significant posts collected by our analysts.
The most noteworthy listing documented by InfraShield is this June 9, 2025 promotion for a 50 GB dataset stolen from Peruvian mining consultants IMSS Consultores. This listing was posted on a Russian-language cybercriminal forum by a threat actor who goes by the handle ‘Sentap.’ Sentap is one of the most prolific lone-wolf threat actors actively targeting critical infrastructure firms today.
Sentap advertises IMSS Consultores database, Source: Exploit.in
On the same Russian-language forum, InfraShield CTI analysts identified numerous initial access listings for mining and metals organizations that were posted throughout 2024. Notably, these listings were all published by the same initial access broker (IAB), a threat actor who goes by the handle ‘ProfessorKliq.’
‘ProfessorKliq lists U.S. mining org RDWeb access for sale, Source: Exploit.in
ProfessorKliq lists Australian mining org CISCO VPN access for sale, Source: Exploit.in
These two underground auction posts illustrate ProfessorKliq’s cross-continental targeting of mining and metals organizations in both Australia and the United States. One listing offers VPN access to a major Australian mining firm with $6.9 billion in reported revenues, while the other advertises privileged RdWeb domain access to a U.S. mining company with $13.2 million in annual revenue.
The price points reflect the scale and strategic value of these breaches, with the Australian VPN access starting at $3,000 and the U.S. domain access at $400, highlighting both regional differences and the varying appeal based on company size and network privilege. Additionally, the IAB commented in both threads that their listings had sold.
Meanwhile, the most recent mining and metals access listing identified by InfraShield CTI analysts is this Exploit.in post published by threat actor ‘rawmeat’ on May 18, 2025. The threat actor advertised Remote Desktop Protocol (RDP) domain admin and full network access for a Canadian ("CA") mining company that generates $104.6 million in revenue.
rawmeat sells Canadian mining company domain admin RDP access, Source: Exploit.in
The listing highlights privileged domain admin rights— the highest level of user privilege in a Windows Active Directory (AD) environment— network-wide access, and five domain hosts, noting that the company is publicly traded and holds valuable data.
The auction started at $1,000 with incremental bids of $250 and a buy-now (“Blitz”) price of $1,500—significantly lower than other listings targeting larger firms. Notably, the listing sold within 24 hours, underscoring high demand for access to mining company networks.
How Can Mining and Metals Organizations Stay Secure?
In an increasingly adversarial geopolitical environment where cyberattacks are more frequently being operationalized in hybrid warfare, global mining organizations are facing unprecedented risks.
The Intelligent Miner advises mining organizations to incorporate the following five best practices into their broader cybersecurity strategy planning to mitigate growing threats:
- Invest in talent development: Mining companies must expand their recruitment pools to include IT specialists, cybersecurity analysts, and data scientists.
- Integrate IT and OT security: Developing a unified cybersecurity strategy to protect IT and OT systems is critical. This strategy includes segmenting networks, implementing multi-factor authentication, and monitoring for anomalies using AI-driven analytics.
- Promote leadership and collaboration: Strong leadership can dismantle organisational silos, fostering cross-functional collaboration between IT and operational teams.
- Enhance psychological and physical safety: Cybersecurity must be woven into the broader fabric of mining safety. By adopting frameworks that support psychological safety, organisations can empower employees to identify and address vulnerabilities proactively.
- Create clarity early: Cybersecurity is only as strong as its intentionality. As we move toward the energy transition in an increasingly interconnected world, explorers, developers, and producers must come to a consensus on the most critical assets to protect.
Is your mining organization concerned about how rapid digital transformation has complicated your cyber-physical security posture?
InfraShield’s team of OT security specialists understands the unique risks facing mining and metals operations—and delivers proven solutions to secure your networks, assets, and production processes against today’s most advanced cyber threats.
Don’t wait for an incident to expose the gaps: Partner with InfraShield to proactively safeguard your digital transformation journey and ensure the resilience of your critical operations. Contact our experts today for a tailored security assessment.
