Critical Minerals and Cyber Operations
Summary
Critical elements and rare earth elements REEs are no longer commodities; they are strategic dependencies. Chinaʼs dominance in processing and refining provides it with enormous geopolitical leverage over other industrialized economies.
Geopolitical competition over mining and refining critical elements and REEs is accelerating. Competition to mine them will almost certainly expand into the Arctic, Greenland, Antarctica, the seabed, and space. These emerging arenas introduce legal ambiguity, environmental tension, and strategic rivalry, creating new geopolitical flashpoints.
Cyber operations are increasingly intertwined with resource competition. Insikt Group has identified state-sponsored and criminally aligned cyber threat actors targeting mining organizations to gain a strategic advantage. As critical mineral supply chains grow in importance, cyber activity targeting the sector is expected to increase, with criminal groups potentially serving as proxies or access brokers for state-backed operations.
Analysis
What Are Rare Earth Elements and Critical Elements?
Rare earth elements (REEs) are a group of seventeen metals that are essential to modern technologies. REEs are vital to the Fourth Industrial Revolution, a term for the current era of connectivity, advanced analytics, automation, and advanced manufacturing technology. REEs are used in small but essential quantities; they significantly impact the efficiency, precision, and reliability of equipment. They also differ from most other critical elements because they are difficult to process and refine. The refining process requires complex separation, making supply chains slow to build and capital-intensive.
Critical elements such as lithium, copper, nickel, cobalt, and graphite are primarily used as structural, conductive, or energy-storage materials and are consumed in much larger quantities. These elements form the physical backbone of products like batteries, wiring, and digital infrastructure. In simple terms, critical elements build the systems, and REEs enable the systems to perform at high levels.
Where Are REEs and Critical Elements Located?
On land, critical elements are unevenly distributed globally, with mining concentrated in a few countries. REEs are primarily mined in China, with significant deposits in Australia and the United States (US).
The seabed is an emerging arena for mining due to vast critical mineral reserves that are believed to lie on the ocean floor. On the seabed, minerals are packed into potato-sized nodules, form hard crusts, accumulate in sediment layers, and are emitted from hydrothermal vents. In April 2025, the Trump administration issued an executive order directing the US to rapidly scale its capability to mine and process seabed critical elements. Meanwhile, China continues to expand its deep-sea mining capabilities. Japan is also accelerating its deep-sea mining program and, in February 2026, recovered REEs from 6,000 meters below the surface of the Pacific Ocean.
Arctic ice volume has declined by more than 70% since the 1980s, opening new shipping routes and exposing vast natural resources. As ice retreats, significant deposits of critical elements such as cobalt, tin, and REEs are becoming accessible, alongside oil and gas reserves. Mineral-rich seabed nodules are also being uncovered, attracting increasing interest from both nation-states and private investors.
Greenland contains 25 of the European Commission’s 34 designated critical raw materials as well as substantial oil and gas potential. Mining remains difficult due to harsh conditions and limited infrastructure, but continued ice retreat combined with sufficient capital investment could unlock resources of major economic and geopolitical importance.
Antarctica is currently off-limits to mining until at least 2048 under a 1991 environmental agreement that designated the continent as a natural reserve. Antarctica is believed to hold significant reserves of oil, coal, and iron ore, which are already attracting growing interest for the future. China and Russia have announced plans to expand their presence in Antarctica. China’s intentions appear to be focused on resource exploitation, which could open up a new geopolitical fault line, this time in the South Pole.
Space is quickly becoming the next frontier for critical resource extraction. Critical elements are abundant on asteroids and on the Moon. As companies move toward space mining, the US and China are simultaneously racing to establish a permanent presence in space by the 2030s, intensifying an already highly competitive astropolitical environment.
What Is the Geopolitical Importance of REEs and Critical Elements?
Because industrialized nations need critical elements and REEs to manufacture advanced technologies, global demand is rapidly accelerating. China’s control over critical elements and REEs stems primarily from its dominance of processing and refining rather than extraction. By controlling much of the world’s REE separation and refining capacity, China holds significant leverage over global supply chains and strategic technologies.
This reliance has heightened anxiety in the US over access to critical and rare earth elements. In 2025, China demonstrated its leverage by threatening to suspend REE exports to the US, which compelled Washington to back away from plans to restrict the transfer of critical semiconductor technology.
The US government has since accelerated international critical minerals deals and begun investing in US mining operations to minimize its reliance on China, where over 90% of the world’s REEs are processed. Furthermore, we are now seeing the US strategically stockpiling critical minerals and seeking to form “critical minerals trade blocs.”
Have Any Cyberattacks Been Linked to REEs and Critical Elements?
State-sponsored cyber capabilities are deployed to support national objectives linked to mining operations and the exploration of new critical minerals.
In 2021, Insikt Group identified infrastructure previously linked to APT15, a Chinese state-sponsored threat actor targeting a Canada-based mining company focused on mining zinc, copper, and lead. While there is no public record of Chinese investment in that specific mining company, Chinese firms invested approximately CAD 40 million (USD $30 million) in other Canadian lithium miners during the same period. Ottawa later forced those companies to divest on national security grounds.
In 2025, Insikt Group identified several Chinese state-sponsored threat actors targeting an organization focused on monitoring and regulating seabed mining. These cyberattacks occurred around the same time that China entered into seabed exploration and mining partnerships with nations such as the Cook Islands, Kiribati, and Tonga. This campaign was almost certainly driven by a desire to gain advanced insight into deep-sea mining rules and rival nations' positions, helping it protect its critical minerals dominance and secure strategic seabed access ahead of its competitors.
Between January 2021 and January 2026, Insikt Group identified multiple sophisticated cyber operations targeting Indonesia. While not every intrusion can be conclusively attributed to mining activity, these attacks align with China’s strategic interest in Indonesia’s natural resources; for example, Chinese companies control about 75% of Indonesia’s nickel refining capacity. Furthermore, Indonesia holds approximately 55 million metric tons of nickel reserves, which is over 40% of global reserves.
In 2025, a hacker group known as Silent Lynx (or YoroTrooper) was reported to be targeting Russia's mining sector. Security researchers assessed that Silent Lynx is likely Kazakhstan-based, due to its language fluency, use of local currency, and regional targeting.
Ransomware and criminal cyber groups frequently target the mining sector, primarily for financial gain. As the sector’s global economic importance grows, it may attract increased extortion efforts. Insikt Group has previously identified ransomware groups operating in close coordination with state actors, effectively using ransomware as a smokescreen; as a result, we cannot rule out criminal groups increasingly providing access to mining organizations for state-sponsored cyber operations.
Figure 9: Timeline from January 2021 to January 2026 showing mining companies being named on ransomware extortion sites,
alongside mining company access being sold on dark web sites Source: Recorded Future)
In 2024, Northern Minerals, an Australian rare earths producer, was compromised by the ransomware group BianLian. They published stolen data on the dark web shortly after Northern Minerals ordered Chinese-linked investors to divest their 10.4% stake. BianLian is a financially motivated group that opportunistically targets multiple sectors and is believed to be operated by Russia-based threat actors. While this leak was likely financially driven, state collusion cannot be ruled out, as state-sponsored threat actors increasingly hide operations behind criminal activity.
Outlook
The US and its allies will almost certainly intensify efforts to reduce strategic dependence on China for critical minerals. This is because control of mineral supply chains will be a decisive factor in determining leadership in the Fourth Industrial Revolution.
Mining activity will almost certainly expand into new frontiers, including the deep sea, the Arctic, and Antarctica, permanently reshaping both economic competition and geopolitical risk.
Space will very likely emerge as the final frontier for resource extraction. The US and China will accelerate competition to secure access to lunar and asteroid-based minerals, extending terrestrial resource rivalries beyond Earth’s orbit.
State-sponsored cyber threat actors operating on behalf of industrialized nations will almost certainly increase their focus on targeting mining companies and governments operating in strategically significant mining regions.
Criminal cyber activity will very likely increasingly serve as a smokescreen or initial access vector for state-sponsored operations targeting critical mineral mining companies.
Recommended D3FEND Actions
Further Reading
Source
Title
Mitigations
Know your exposure to changes in critical mineral supplies: Map the locations of critical minerals in your products and suppliers, and identify potential single points of failure.
Resilience question: Are there any single points of failure in critical products or business lines if China were to restrict the supply of REEs?
Build a fallback plan: Put backup suppliers, alternate materials, and realistic inventory buffers in place for the highest-risk supplies your organization relies on.
Resilience question: What is our Plan B for our top three critical electronic supplies, such as laptops?
Prepare for criminal and state-sponsored cyberattacks: If you operate in or supply the mining and critical minerals sector, treat criminal intrusions as potentially more than financially motivated. In some cases, they may serve as cover for espionage. Actively monitor the latest indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) associated with threat actors known to target the sector or government bodies responsible for nation-state mining interests. Use Recorded Future’s Threat Intelligence Module to monitor for dark web and closed-source mentions tied to mining targeting.
Resilience question: If we’re hit with ransomware, how quickly can we restore operations? Do we have backup systems and data?
Map out your supply-chain risks: If your organization operates in or near the mining industry, you might have robust security measures — but your suppliers might not. Use Recorded Future’s Third-Party Intelligence Module to identify risks in your supply chain.
Resilience question: Which supplier or contractor would cause us the most problems if they were hacked, and could they be easily hacked from what we can identify?
Monitor the new mining hotspots: Track developments in the Arctic, Greenland, Antarctica, deep-sea mining, and space, as rules and conflicts there can quickly affect supply and reputation. Use Recorded Future’s Geopolitical Intelligence Module to gain visibility into new mining contracts and potential geopolitical risks from new deals.
Resilience question: What early warning signs are we monitoring that could disrupt our supply chain in the next 6–12 months?
Risk Scenarios
Scenario: “Mining Ltd,” headquartered in a European capital, wants to open up a mining and refining facility in a South American country, where another foreign state-backed multinational corporation is also bidding.
First-order Implications
Threats
Risks
Operational disruption: The Mining Ltd team has to rework proposals, renegotiate local partnership terms, and reassess internal governance processes. This delays bid submission timelines and weakens negotiating leverage with host-nation ministries and suppliers.
Brand impairment: Mining Ltd suffers reputational damage from headlines about the leak as news outlets start reporting on the breach.
Financial fraud: Mining Ltd faces higher bidding costs due to the leaks, as additional costs mount for advisors, PR support, and legal reviews.
Second-order Implications
Threats
Risks
The threat actor continues searching sensitive files across networks and feeds the stolen bid details to a state-backed company, which uses the documentation to identify critical issues within the company and its strategy.
Simultaneously, a destructive wiper is pre-positioned within critical systems for potential activation at a politically sensitive moment.
Legal or compliance failure: Defamation and disclosure disputes; discovery risks if litigation arises; internal communications pulled into proceedings and reinterpreted out of context. Also, exposure and misuse of confidential bid information may trigger regulatory scrutiny, contractual breaches, and potential sanctions.
Competitive: The state-backed rival gains a negotiating advantage and sensitive information on how Mining Ltd operates, undermining Mining Ltdʼs market position.
Operational disruption: A planted wiper creates the risk of sudden,large-scale system outages that could halt core business operations.
Brand impairment: Further public disclosure of bid compromise or system sabotage would significantly erode customer and partner trust.
Third-order Implications
Threats
Risks
In this instance, the host nation narrowly awards Mining Ltd the contract after further scrutiny following earlier leaks. Fearing all is lost, the state-sponsored threat actor activates the wiper, causing operations to cease. This leaks to the press, which reports on it, further adding to scrutiny of Mining Ltd's viability.
The host country cancels the contract with Mining Ltd and offers it to the seemingly reliable state-backed company that the cyber threat actor has been supporting.
Legal or compliance failure: The cyber incident and resulting outage prompt investigations into governance, resilience, and regulatory compliance.
Operational disruption: Activation of the wiper halts operations, directly preventing contract execution and service delivery, resulting in Mining Ltd incurring millions of USD lost in downtime per day.
Brand impairment: Public reporting on the attack and outage undermines confidence in Mining Ltdʼs data-handling reliability and its long-term viability as a trustworthy company.
Competitive disadvantage: The incident enables a state-backed rival to displace Mining Ltd in the host country and strengthens its position in other markets.
Key
Legal or compliance failure: Breach of laws, regulations, or industry standards resulting in liability or sanctions.
Operational disruption: Interruption to normal business processes affecting productivity or service delivery.
Brand impairment: Damage to reputation that reduces customer trust and market value.
Financial fraud: Unauthorized manipulation or theft of financial assets for personal or organizational gain.
Competitive disadvantage: Loss of market position due to inferior capabilities, intelligence, or innovation.