Cyber espionage: the silent battleground for mining’s mineral intelligence

Main image: Digitalisation broadly is making mining operations more vulnerable to cyberattacks. Credit: Parilov via Shutterstock

The global race for critical minerals has a silent and invisible battleground. The target is intelligence, the artillery is malware and the casualties are almost always unknown, sometimes even to themselves. 

“The best cyber espionage would be when the target didn’t even know it had happened,” comments William Akoto, professor of foreign policy and global security at the American University. “It is very quiet, and the main objective is to extract potentially economically or strategically useful information.” 

National security objectives and critical mineral supply strategies are more aligned now than ever before, and states are turning to cyber espionage to gain an intellectual, commercial and geopolitical edge. State-sponsored actors – known as cyber proxies – are using sophisticated malware and calculated spear-phishing to obtain valuable and confidential data. 

Already, almost every country is both a perpetrator and a victim. However, there is an incentive for both attackers and casualties to stay quiet, making the problem at once huge and inherently unquantifiable. 

Akoto adds that silence is the distinction between cyber espionage and other cyberattacks. While ransomware extortionists contact victims for money and 'hacktivists' deface websites or shut down operations, cyber spies operate invisibly. 

Across the value chain, mining companies are at particular risk. Critical minerals are essential to national security objectives, and any operator with intelligence on geological resources, exploration data or investor information immediately become lucrative targets. 

Nilesh Raghoo, an analyst at Mining Technology’s parent company, GlobalData, points out that widespread digitalisation means mining sites are increasingly relying on operational technology (OT). “With this comes an increased risk of systems being breached and exposed if not properly protected,” he says. “Technology that employs Internet of Things-related devices can give attackers access to the wider network that they operate on.”

Proxies carrying out state-level cyber espionage are looking for an edge, either commercially or diplomatically. In an era of soaring critical mineral demand, that makes operators in the mining sector a prime target. 

Attractive informational targets include pre-commercial intelligence (such as geological survey and exploration data); pricing and commodity forecasting data; and insights on OT and supervisory control and data acquisition (SCADA) systems. Holding a wealth of these insights, “mining firms have become very valuable, strategic targets for state-linked actors and even for ordinary, run-of-the-mill cybercriminals”, says Akoto. 

He particularly highlights the value of geological survey and exploration data. Surveying and exploration is a capital and time-intensive process that precedes the purchase of the site. If a cyber spy were to access this data on behalf of another – perhaps state-owned or state-favoured – mining operator, the latter could move to acquire the mineral rights first. With the temporal advantage, they could also position investment or undercut a rival’s bidding strategy.

Besides mineral endowment, cyber espionage can also be used to pursue corporate insights such as merger and acquisition (M&A) investor and shareholder data. Knowledge of a target’s debt covenants or pending regulatory decisions can also inform the pricing and timeline strategies of prospective acquirers. 

It was M&A information that drove the 2009 cyberattack on Rio Tinto. The company rejected a $19.5bn (131.78bn yuan) equity stake bid from China’s state-owned aluminium company, Chinalco, which wanted to challenge the dominance of the three companies controlling the bulk of Australian iron ore: Rio Tinto, BHP and Vale. China’s soaring steel demand bled into tension around pricing negotiations, and Chinese state-sponsored hackers targeted confidential internal communications to garner insight on merger negotiations between Rio Tinto and BHP. 

The race to establish technological dominance is another driver for cyber espionage, especially as developing capabilities open the doors to new markets. 

These include the as-yet non-existent seabed mining, which is expected to commence within the next year, and which some experts suggest could represent a $20tn opportunity. 

According to a report by cybersecurity company Recorded Future, Insikt Group identified cyberattacks from several Chinese state-sponsored actors throughout 2025, targeting an unnamed organisation working in monitoring and regulating seabed mining. The report notes that the cyberattacks occurred around the time China entered into seabed exploration and mining partnerships with the Cook Islands, Kiribati and Tonga.  

The report also notes that competition for critical minerals will emerge in new geographies including the Arctic and Antarctica, where both China and Russia have announced separate but coordinated plans. Space mining will also materialise within the next year, and the US and China are racing to capitalise on metal deposits in asteroids, the Moon and Mars. With potentially huge resources to be won, and few legal frameworks to determine who can capitalise on the advantage and how, the winners will be the first to cross the finish line in these spaces. Who has the intellectual, technological edge will therefore define who dominates these new industries. The race is on, and there are no rules. 

“It is widely understood that states will spy on each other using whatever means they can use,” says Akoto. “Sometimes they use people inside the government to pass information to them, sometimes they use cyber espionage. It is accepted.” 

But who is conducting cyber espionage against whom, and why?

Cyber espionage is accepted to be occurring worldwide, with almost every government likely to be both perpetrator and victim. 

Western cybersecurity analysts often identify a 'Big Four' – China, Russia, North Korea and Iran – as posing an advanced persistent threat, or APT.  

China stands out for the volume and technical sophistication of its operations, as well as the extent to which cyber espionage and cyberattacks are integrated into its national security strategies. Unlike some other state actors, China is not opportunistic but systematic. 

According to a new report by cybersecurity company CrowdStrike, between April 2025 and March 2026, China-nexus actors “conducted operations across Asia and North America, demonstrating coordinated state-aligned cyber espionage that threatens targeted nations’ economic security and technological competitiveness amid intensifying strategic competition between the US and China”. 

It added that China-linked hackers posed the biggest espionage threat to technology companies over the past year, noting that Taiwan, Thailand and the US were the top targets. 

Elsewhere, Insikt Group identified a sustained pattern of cyberattacks from China towards Indonesia. Although not all attacks were directly related to mineral intelligence or mining operations, analysis by Recorded Future relates the findings to Chinaʼs strategic interest in Indonesiaʼs natural resources. Indonesia holds more than 40% of global nickel reserves (around 55 million tonnes) and Chinese companies control around 75% of the country’s nickel refining capacity.

While China’s state-supported cyber operations are intended to be covert, Russia has developed a reputation for a destructive and unapologetic cyber strategy. The GRU (Russia's primary foreign military intelligence agency) operates Sandworm – an aggressive, military-designated cyber unit that regularly hits headlines for its cyber activity. 

In 2015 and 2016, Sandworm attacked the Ukrainian power grid, shutting off electricity and making history as the first confirmed cyberattack to cause power outages. By 2024, it had targeted almost 20 Ukrainian energy facilities. 

However, a vast number of Russian state-sponsored activities have successfully flown under the radar, and headline-grabbing cyberattacks have only distracted from the growing deployment of cyber espionage by Russia for tactical advantage. Norge Mining, for example, has allegedly been subjected to Russian economic-intelligence operations as it moves towards permitting for one of Europe’s largest undeveloped deposits of phosphate, vanadium and titanium in Norway. Presently, Europe is dependent on Russia for phosphate and titanium. 

Similarly, North Korea has adopted organised, sophisticated state-sponsored cyberattack strategies, usually handled through the Reconnaissance General Bureau (RGB) – the national foreign intelligence agency. Espionage is at the core of the RGB’s operations and attacks are shaped around exploiting supply chain vulnerabilities. 

Although there are no known examples of North Korean groups hacking mining targets specifically, Akoto notes that, for the Big Four, every sector is a target and “a regular part of their military cyber operations”. 

The final member of the Big Four, Iran, primarily focuses its cyber espionage on the Middle East; however, its operations also extend to government agencies, defence contractors, academic institutions and critical infrastructure in the US, UK and Europe. State-sponsored cyber espionage operations are directed by the Islamic Revolution Guard Corps and the Ministry of Intelligence and Security. 

In a recent report, the Centre for Strategic and International Studies noted that “cyberattacks originating from Iran are a key concern”, adding that “the energy sector is experiencing increasing cyberattacks, and the sector is among the most-targeted in the US”. 

However, while Iran is indubitably using cyber espionage to collect intelligence on the mineral endowment, extraction processes and refining capacities of its neighbours, its own mining sector was famously the victim of a cyberattack in 2022. State-owned Khouzestan Steel, as well as Mobarakeh Steel and Hormozgan (majority-owned by government entities), were crippled by an attack carried out by pro-Israeli hacktivist group Predatory Sparrow, which released footage of the companies’ industrial machines malfunctioning and discharging molten steel.

Beyond China and the other members of the Big Four, Akoto identifies Syria as the fifth big player in cyber espionage, nodding to Saudi Arabia as a possible sixth. “We even see some European nations – France, for example – active in the cyber space. Canada has also been notably active.” 

He acknowledges that the US is doubtless a major player but points out that most data available for study in the Western world is obtained by US cybersecurity operators, which lack the incentive to report on the US' outgoing attacks, so the data tends to be skewed. “The commercial incentives for firms like Microsoft, FireEye, etc. don't align neatly with reporting; they won’t amplify attacks that are outbound from the US. Their incentives align more towards amplifying inbound attacks and operations,” he notes.

In 2025, Recorded Future identified “at least 20 actors across 13 ‘non-Big Four’ countries” that were conducting cyber operations. The report found that these were primarily linked to regional conflicts, domestic surveillance or foreign espionage. 

It reads: “Patriotic hacktivist groups, which advance state interests alongside state-sponsored espionage operations, represent the highest volume of reported activity. The degree of coordination between hacktivists and the government remains unclear and likely varies.”  

But what of the extent of espionage for mineral intelligence out there?  

The very nature of spying, and therefore of cyber espionage, is that it is covert and thus inscrutable. 

“We can never really measure the scale of it,” says Akoto. “Whatever we think we know about how much cyber espionage there is, we know for sure it is an underestimate, because there are many espionage incidents that the targets don't disclose for various reasons.” 

Mining companies may never know that they have been victims of cyber espionage, or that their mineral intelligence was quietly copied. If they do find out, they may choose not to disclose the breach, so as not to discourage customer confidence or reveal vulnerabilities to other prospective attackers. On the flip side, attackers that have successfully carried out cyber espionage are unlikely to reveal that they have gained an intellectual edge. 

“There are incentives for both the target and the attacker to keep cyber espionage quiet, so knowing the true scale is very difficult,” explains Akoto. 

However, experts do know how cyber espionage is carried out, and which technologies are defining – and redefining – attacks. 

According to Raghoo, it is AI that has “completely changed the game”. AI can accelerate malware development and can also aid in more targeted social engineering campaigns by writing sophisticated, convincing phishing emails. By using available information about high-level employees and C-suite executives, AI can also tailor communications and assist in spear-phishing.   

Although the vector was never definitively determined, the LockerGoga ransomware attack on aluminium producer Norsk Hydro in 2019 is generally accepted to have occurred when an employee opened a convincing but malicious email attachment. Similarly, the ransomware attack on Copper Mountain Mining in 2022 is widely thought to have been the result of a successful phishing attack. 

As AI capabilities improve, cybersecurity experts expect phishing and spear-phishing to continue to become more sophisticated and harder to detect. However, Raghoo also calls AI “a double-edged sword”, noting that “on the flip side, AI can be used in cybersecurity solutions – for example, monitoring and threat detection – working autonomously to keep systems safe”. 

He also points to quantum cryptography: the next frontier in cybersecurity. Quantum cryptography will protect systems against attacks from quantum computers, which are expected to arrive by the mid-2030s. Where classical computers use binary bits, quantum computers use quantum bits (qubits), allowing them to consider more possibilities and therefore process far more complex problems. Raghoo says ‘Q-day’ is approaching, when cryptographically relevant quantum computers will be able to break public-key encryption in minutes, and “even the latest asymmetric public-key encryption technologies will be at risk”. 

Paired with the furtive nature of espionage, the increasing technological sophistication of attacks makes the scale of the problem all the more difficult to quantify. Yet, with critical minerals now central to national security strategies, and China’s dominance set to intensify, experts are certain that cyber espionage will continue to increase – and rapidly. 

Recorded Future’s report concludes with an ominous warning: “If you operate in or supply the mining and critical minerals sector, treat criminal intrusions as potentially more than financially motivated. In some cases, they may serve as cover for espionage.”