China’s dominance of rare earth element (REE) processing and refining gives it significant geopolitical leverage, driving accelerated competition for critical minerals across the deep sea, the Arctic, Greenland, Antarctica, and space. State-sponsored and criminal cyber threat actors are increasingly targeting mining organizations and regulators to gain strategic advantage, with groups like BianLian and APT15 linked to compromises and extortion. #BianLian #APT15
Keypoints
- China controls the majority of REE separation and refining capacity, creating strategic dependence for industrialized nations and prompting policy and investment responses from the US and allies.
- Mining for critical elements and REEs is expanding into new frontiers—deep sea, Arctic, Greenland, Antarctica, and space—raising legal, environmental, and geopolitical tensions.
- State-sponsored cyber actors (e.g., APT15 and other Chinese-linked groups) have targeted mining companies and seabed regulators to gain insight and leverage in resource competition.
- Criminal ransomware groups (e.g., BianLian) target mining firms for financial gain and may serve as cover or initial-access brokers for state-backed operations.
- High-profile incidents include ransomware leaks (Northern Minerals in 2024) and targeted campaigns against seabed-monitoring organizations and Indonesian infrastructure tied to nickel refining.
- Recommended mitigations include tightening access to supply-chain data, reducing account takeover risk, rapid credential replacement, ransomware recovery planning, and monitoring geopolitical mining hotspots.
MITRE Techniques
- [T1078 ] Valid Accounts – Used for account takeover and unauthorized access to systems holding sensitive mining and supply-chain data (‘Reduce account takeover risk on the systems that hold this data’)
- [T1486 ] Data Encrypted for Impact – Ransomware used to disrupt and extort mining organizations and publish stolen data (‘ransomware group BianLian…published stolen data on the dark web’)
- [T1003 ] Credential Dumping – Theft and reuse of credentials and keys to enable persistent access or lateral movement (‘Shorten the “useful life” of stolen credentials and keys’)
- [T1195 ] Supply Chain Compromise – Targeting supply-chain relationships and third parties to gain strategic advantage or access (‘Tighten who can access sensitive supply-chain data’ and Chinese investments influencing mining companies)
Indicators of Compromise
- [Threat actor ] named groups linked to mining-targeted operations – BianLian, Silent Lynx (YoroTrooper), APT15
- [Victim organizations ] examples of compromised or targeted entities – Northern Minerals (Australia), unnamed Canada-based mining company and seabed mining regulator
- [Access/exposure ] evidence of extortion and access sales – mining companies named on ransomware extortion sites and access being sold on dark web marketplaces (e.g., extortion posts and listings, and other dark web access sales)
Read more: https://www.recordedfuture.com/research/critical-minerals-and-cyber-operations