Cyber Threats Targeting the Australian Mining Industry – Key Findings

According to data from Group-IB, over the last 365 days, there have been over 254 attacks targeting Australia. 65 attacks were made against the mining sector on a global level, and 5 of those attacks were specifically against Australian-based mining companies.

Whilst industries across the country face significant threats to their operations, the mining industry is of particular importance due to its significance to the Australian economy.

Australia’s Largest Export Industry

Mining is Australia’s largest export industry, making up about 50% of the country’s total exports. In the 2022-2023 fiscal year, these revenues reached $455 billion, as estimated by the Minerals Council of Australia.

In the same period, the number of Australians employed in the mining industry reached 200,000, with significant potential for expansion as the demand for rare metals, such as lithium, continues to grow.

A wide array of industries and service providers rely on and support the mining industry. Some of these sectors include the energy and chemical industries, where raw materials are used in the manufacturing process. Mining companies also contribute to the growth of other industries such as electronics.

Key Challenges the Mining Industry Faces

Across the globe, the competitive nature of natural resources, as well as their role in economic development, have contributed to making the mining industry an attractive target for cyber threats.

As companies become more reliant on automation, and other data-sensitive systems, these attacks are likely to become increasingly destructive. Moreover, as softening commodity prices and other external factors have led to a slowdown in growth, the industry finds itself especially vulnerable.

• Operational Disruption

As mining companies seek to modernise facilities, they have become increasingly dependent on automated and connective operational technologies to support remote workforces and control operations without being on-site.

Whilst this has brought numerous fiscal and safety benefits to the industry, it has also left companies vulnerable to attacks provided these systems are not configured and monitored correctly.

• Data Theft

The highly sensitive nature of information involved in the sector, such as geological surveys, creates further risks. Since the primary source of a mine’s value is determined by its ore reserves a breach could prove especially destructive.

In addition to financial setbacks, data breaches pose a threat to employees’ personal information, causing further problems such as identity theft.

• Ransomware Attacks

As mining operations become increasingly digitized, key components such as payroll are an attractive prospect for malicious actors. Ransomware attacks are a common means by which this data is encrypted, and a ransom is demanded for its release.

Listen to this podcast on the ransomware attack cycle here.

Aside from the obvious financial risks, the consequences of a ransomware attack could be far-reaching and cost significantly more in terms of downtime and data loss.

• Supply Chain Vulnerabilities

As systems are interconnected within the mining industry, bad actors are well-positioned to infiltrate weaker, third-party connections. In this case, compromising a single link could have widespread consequences not only for mining companies but for an array of connected industries.

Read more about Supply Chain Attacks here.

How SecurityHQ Solves These Challenges

‘SecurityHQ’s SOCs play a crucial role in enhancing the operations of both IT and Operational Technology (OT) for our mining customers. By integrating security protocols that are tailored to the unique challenges of the mining sector, we ensure that both environments operate smoothly and securely. Our SOC provides comprehensive standards and guidelines that help businesses comply with industry regulations. This not only minimizes risks but also strengthens their overall security posture. Our proactive monitoring and incident response capabilities ensure that threats are identified and addressed swiftly, thus maintaining operational continuity and protecting valuable assets.’– Lavannya Daga, Regional CSM Lead, APAC, SecurityHQ

Important security protocols across the industry that SecurityHQ supports, include:

• Access Control: Implement strict access controls to ensure that only authorized personnel can access sensitive areas and systems.
• Real-Time Monitoring: Deploy continuous monitoring solutions to detect anomalies and security breaches in real time. This includes intrusion detection systems (IDS) and Security Information and Event Management (SIEM) tools.
• Incident Response Plans: Develop and regularly update incident response plans specific to mining operations. This ensures quick and effective action in the event of a security breach or operational disruption.
• Vulnerability Assessments: Conduct regular vulnerability assessments and penetration testing to identify and address weaknesses in their environment.
• Compliance with Industry Standards: Adhere to industry standards and regulations, such as ISO/IEC 27001 for information security management and NIST guidelines for cybersecurity by implementing a risk register and evaluating cyber posture.

‘Overall, the collaboration between the SecurityHQ SOC and mining operations fosters a safer, more resilient environment that supports both immediate and long-term business objectives. By implementing a few of these standards, we enable stakeholders across the organization to have improved visibility into potential vulnerabilities and security incidents.’ – Lavannya Daga, Regional CSM Lead, APAC, SecurityHQ

Top Five Threat Groups Targeting Australia

1. INC Blog

INC Blog Ransomware is a recent cybercriminal group that has gained rapid notoriety. The group has distinguished itself through targeted ransomware attacks, as well as a focus on corporate and organisational networks.

• LockBit

LockBit is a Russian-based cybercriminal group offering Ransomware-as-a-Service (RaaS). The software enables malicious actors to carry out two-stage attacks in which a victim’s data is encrypted and ransomed. “From 1^st April 2022 to 31^st March 2023, LockBit accounted for 18% of the total reported Australian ransomware incidents.” – Australian Government

• DragonForce

DragonForce is a Malaysian hacktivist group utilising a similar two-stage attack strategy to LockBit. DragonForce has proven particularly effective through its use of customised ransomware attacks, through which ‘threat actors can leverage tactics such as changing the filename extensions of encrypted files and terminating specific processes and services.’ – Group-IB

• RansomHub

RansomHub is a Russian-oriented group that has claimed at least 227 victims in just 207 days through similar methods.

‘While RansomHub is not confined to a single industry and targets companies across various sectors, its primary targets are companies within the healthcare, finance, and government sectors.’  – Group-IB

• CACTUS

CACTUS follows a similar double-extortion method. Since observation began twelve months ago, the group has found significant success attacking large commercial entities in some of the largest companies in the US, Italy, and the UK.

Top Five Threat Groups Targeting the Mining Industry on a Global Level

There is a significant overlap between the top groups targeting Australia and those targeting the mining industry. INC Blog, LockBit, and DragonForce were observed again, in addition to Play and BlackBasta.

• BlackBasta

BlackBasta is a ransomware operator that emerged in early 2022. Since then, the group has racked up several prominent enterprise victims, often originating in the US, UK, and Australia.

• Play

Play is a ransomware group behind over 300 successful incidents since June 2022 according to Cybersecurity officials in the US and Australia.

Top Five Threat Groups Targeting the Mining Industry in Australia  

• BianLian

BianLian is a cybercriminal group targeting Australian critical infrastructure sectors in addition to professional services and property development since June 2022.

• GTFire

First seen on the 18th of December 2023, GTFire is a group of Threat Actors abusing Google services to initiate Phishing attacks. Their geographic reach is vast and includes the United Arab Emirates, Austria, Australia, Bangladesh, Belgium, Canada, Switzerland, Chile, China, Colombia, Costa Rica, Czech Republic, Germany, Denmark, Dominican Republic, Egypt, Spain, France, United Kingdom, Georgia, Greece, Hong Kong, Israel, India, Italy, Jamaica, Japan, Moldova, Mexico, Malaysia, Netherlands, Norway, New Zealand, Panama, Peru, Philippines, Pakistan, and Russia.

As well as multiple geographies, the group targets multiple industries. These include Advertising, Commerce, Consumer Goods, Education, Energy, Events, Financial Services, Government, Health Care, IT and Cyber Security, Internet Services, Manufacturing, Media & Entertainment, Telecommunications, Mining, Non-Profit, Consulting, Science and Engineering, Transportation, Travel and Hospitality.

• Greatness

Greatness is a cybercrime platform offering ‘Phishing-as-a-Service’, to threat actors specifically targeting users of Microsoft 365 cloud service. Read more about how to spot a phishing attack, here

• Webvoice

On June 1, 2023, experts discovered a phishing campaign targeting corporate users from different countries, during which the attackers used an unidentified Microsoft 365 phishing kit. This campaign uses the domain webvoice[.]com[.]br to redirect victims to phishing pages.

The group was last seen on the 31^st of October 2023, targeting multiple industries. These include Financial Services (Banking, Asset Management, Fintech, etc.), Professional Services (Business Development, Career Planning, Consulting, etc.), Advertising (Affiliate & Social Media Marketing), Agriculture and Farming, Biotechnology (Biopharma, Genetics, Life Science), E-commerce and Retail, Consumer Goods (Cosmetics, Electronics), Education (EdTech), Energy (Oil & Gas, Renewable), Health Care (Medical Devices, Pharmaceuticals), IT & Cyber Security, Manufacturing (Industrial, Machinery), Media & Entertainment, Real Estate, Science & Engineering (Various Fields), Software (Web Development, Robotics), Transportation and Travel.

Their geographic reach spans Albania, Austria, Australia, Spain, United Kingdom, India, United Arab Emirates, Bahrain, Brazil, Canada, Switzerland, China, Colombia, Costa Rica, Germany, Denmark, Estonia, France, Hong Kong, Israel, Italy, South Korea, Luxembourg, Mauritius, Malaysia, Netherlands, New Zealand, Philippines, Sweden, Singapore, United States, and Zambia.

• A7xsurabaya

a7xsurabaya is an attacker who carries out phishing attacks targeting corporate users from different countries. The attacker was discovered on March 17, 2023, and remains active as of February 21, 2024. In these phishing attacks, the attacker uses Office365 phishing pages.

Their geographic reach includes the United Arab Emirates, Australia, Belgium, Canada, Switzerland, China, Costa Rica, Germany, Denmark, Finland, France, United Kingdom, Ghana, Hong Kong, Ireland, Italy, Netherlands, New Zealand, Philippines, Poland, Saudi Arabia, Sweden, Singapore, and the United States.

Industries targeted include Administrative Services (Facilities Support), Advertising, Agriculture, Artificial Intelligence, Clothing and Apparel, E-commerce and Retail, Community and Lifestyle (Elderly, Leisure, etc.), Consumer Goods (DIY, Furniture), Content and Publishing, Data and Analytics, Education (Higher Education, Training), Energy (Efficiency, Oil & Gas, Renewable), Financial Services (Banking, Asset Management, Insurance, etc.), Food and Beverage (Processing, Wine), Government and Military, Health Care (Hospitals, Medical Devices, Nutrition), Information Technology (Cyber Security, Network Security), Manufacturing (Various Fields), Media and Entertainment (Music, Publishing, Social Media), Professional Services (Consulting, Legal, Risk Management), Real Estate (Construction, Property Management), Science and Engineering (Aerospace, Biotechnology, etc.), Software (Enterprise, Mobile Apps), Transportation (Logistics, Public Transportation), Travel and Tourism.

Next Steps to Support Australian-Based Mining Companies

Australia’s latest cybersecurity strategy highlights a commitment towards better data security. Read more about the full strategy here: ‘SecurityHQ and Data#3 Join Forces to Leverage the Australian Cyber Security Strategy 2023-2030’.

The success of this plan greatly depends on companies taking important steps to bolster their defences. Together SecurityHQ and Data#3 aim to provide Australian businesses with the opportunity to build a safer, and more secure, working environment.

‘As these threats evolve, it’s crucial for mining companies to prioritize cybersecurity to safeguard their operations and protect their valuable data. In an era where cyber threats are constantly evolving, staying ahead of the game is crucial. The mining industry must invest in cybersecurity to safeguard its future.’ – Patrick McAteer, Cyber Threat Intelligence Analyst, SecurityHQ 

For more information on how you can protect your data, contact our Australian-based team today.