Australian Mining Giant Confirms BianLian Ransomware Attack
News Comes on Heels of Treasury Forcing Chinese Investors to Divest BianLian SharesAustralian rare earth mining company Northern Minerals said cybercriminals stole sensitive corporate secrets from its systems not long after the government forced several Chinese investors to divest their shares in the company.
See Also: OnDemand | AI-Driven Endpoint Security: Adapting to Industry Changes
The mining giant, which owns the mineral-rich Browns Range project in Western Australia, said in a stock exchange announcement Tuesday that it learned about the cybersecurity incident in late March and called in the Australian Cyber Security Center, the Office of the Australian Information Commissioner and external cybersecurity consultants to investigate the incident.
"The exfiltrated data included corporate, operational and financial information and some details relating to current and former personnel and some shareholder information. The process of notifying relevant impacted individuals is underway and ongoing," Northern Minerals said. The company said the incident did not have a material impact on its operations or broader systems.
"Some of the exfiltrated data has now been released on the dark web," the company added.
Northern Minerals is excavating the Browns Range project on the northern edge of the Tanami Desert, which is rich in dysprosium and terbium - rare minerals that are essential for the production of high-performance magnets for electric vehicles, wind turbines and defense applications. China currently owns and mines 99% of the world's dysprosium reserves.
The mining giant's announcement came a day after Treasurer of Australia Jim Chalmers ordered five China-linked investors to divest their shareholding in the company. The investors - Yuxiao Fund Pte Ltd, Black Stone Resources Limited, Indian Ocean International Shipping and Service Company Limited, Ximei Liu and Xi Wang - presently own a total of 613 million shares, which account for 10.4% of Northern Minerals' issued capital.
A spokesperson from the Treasury said the decision protects the country's national interests and ensures compliance with its foreign investment framework. "Australia operates a robust and non-discriminatory foreign investment framework and will take further action if required to protect our national interest in relation to this matter," the spokesperson added.
The BianLian ransomware group on Tuesday listed Northern Minerals as a victim on its dark web portal. The group claims it stole 1.65 gigabytes worth of corporate information from the company's systems, including operational data, strategic data and data on geological and mining research.
The group claimed that the stolen data also included Northern Minerals' financial information, data on competitor research, shareholders and potential investors, corporate email archives and employees' personal data.
According to the U.S. Cybersecurity and Infrastructure Security Agency, the BianLian ransomware group has targeted U.S. and Australian critical infrastructure sectors since June 2022, and its primary purpose is to extort money.
The group exploits compromised Remote Desktop Protocols to gain initial access and then uses open-source tools and command-line scripting to discover and harvest credentials and exfiltrates victim data via File Transfer Protocol - Rclone or Mega.
CISA said the group initially employed double extortion by encrypting victims' systems after exfiltrating their data, but it recently switched to primarily exfiltration-based extortion, which leaves the victims' systems intact. The group's recent change in tactics aligns with Northern Minerals' statement that the incident did not affect its broader systems or operations.
Though CISA did not list BianLian as a nation-state actor, cybersecurity company Resecurity in December found "a meaningful link" between BianLian and two other ransomware groups tracked as White Rabbit and Mario. When tracking a joint operation by the three groups against financial services firms in Singapore, the researchers traced a majority of their IP addresses to China.