Cyberattackers are increasingly targeting the mining industry, which is falling victim to possible “global industrial espionage” on a large scale, according to an IT expert.
JSE-listed platinum group metals and chrome producer Eastern Platinum (Eastplats) became the latest victim of hackers this week, saying it had detected a breach affecting its internal IT systems. While the company said the incident did not cause havoc to its operations, the hackers managed to gain access to its data.
“Certain files related to internal affairs were disclosed without authorisation by third parties on a restricted part of the internet,” the miner said. “Eastplats is actively reviewing these files to ensure compliance with its legal obligations and to safeguard its commercial interests.”
Eastplats, whose operations include the Crocodile River Mine in Brits, said its priorities included the protection and continuous enhancement of its data security and systems.
“This incident has been reported to the authorities, and Eastplats is committed to maintaining the trust and confidence of its stakeholders.”
In July Sibanye-Stillwater's US platinum group metals operation experienced short-term operational delays as a result of a cyberattack. The group said in its 2024 integrated annual report that hackers had targeted ICT infrastructure, affecting more than 1,000 servers and posing a threat to business continuity, data integrity and security.
Samresh Ramjith, cybersecurity leader at Deloitte, said South Africa suffered the sixth-highest number of cyberattacks in the world. He said cyberattacks were previously concentrated in the banking and insurance sector, targeting clients’ financial information and funds, but were now widespread across various industries due to an increasing digital footprint.
“If you think about the mining industry over the past five years or so, there has been a lot of digital transformation,” Ramjith said. “If you think about the operations, they are all connected through an IT network.”
Ramjith said an increase in cyberattacks on the South African mining industry could be attributed to the sector being globally admired, with some of the best mineral deposits and its ability to move global commodity markets.
“It is a hotly contested and highly competitive market from a mining and metals perspective. So any sort of insider information that can be gathered about what a mine is doing in terms of tonnage and stockpiles, anything that they’re doing in terms of prospecting, that is all interesting information for mining houses internationally.
“So you have an element of potential international industrial espionage that is playing a part in this. That is difficult to evade, because if you are being targeted by, let's say, a hitman organisation looking at understanding what you are doing in coal, for example, they’ll try every tactic they can to get into your organisation.”
Ramjith said investigations into breaches in the mining industry often found the attackers infiltrated the organisation and spent several hours, sometimes a day or more, in the environment, looking around before sending out a ransom, which pointed to industrial espionage.
The ransom in some cases is used as a smokescreen to divert attention from the fact that there was an attack and data was infiltrated. The ransom is deployed to hide the attacker's tracks
— Samresh Ramjith, cybersecurity leader at Deloitte
“If the motivation was purely to send out a ransom so they can collect some cash, then why would the attacker spend so much time in the environment? That is how we come to industrial espionage. The ransom in some cases is used as a smokescreen to divert attention from the fact that there was an attack and data was infiltrated. The ransom is deployed to hide the attacker's tracks.”
A “ransom” refers to a payment demanded by cybercriminals from victims to regain access to their data, systems or networks that have been locked or encrypted by the attackers, typically through ransomware.
Accounting firm PwC said mining's economic significance made it a prime target for cyberattacks as the sector accounts for 7.5% of GDP.
“Though a number of mining companies have state-of-the-art cybersecurity defences, there are general risks which might result in increased risk for specific operations,” PwC said. “Legacy technology infrastructure, which is outdated and susceptible to being compromised by cybercriminals, could still be in place. In addition, there is a global skills shortage in cybersecurity and South Africa’s current economic climate worsens the cybersecurity threat landscape.”
PwC said mining companies use operational technology (OT) networks and systems that were previously segmented from IT networks and were not connected to the internet. Due to digital transformation, these networks were now converging, leading to increased cyber-threats. It noted some of the modus operandi applied by cybercriminals to compromise systems. These include:
- Enticing and tricking employees with clickbait phishing e-mails, which leads to compromised credentials, allowing for unauthorised access to a system or network.
- Using target and compromise technologies that are accessible on the internet, such as remote access solutions (for example, virtual private networks) that give employees remote access to internal systems to allow them to work from different locations. “If these solutions are not updated, they are vulnerable and are prime targets.”
- Cybercriminals pretend to be trusted suppliers or contractors, then ask employees to click on links, open files, or turn on certain system features which allow the hackers to install malicious software.
- Cybercriminals exploiting disgruntled or easily bribable employees within an organisation (insider threats) who may give the attackers passwords or help them install malware onto systems.
Robbie Proctor, an investment analyst at Anchor Capital, said cybercrime was not just a mining problem but affected many industries globally.
“The main aspect would be targeting industries that are slower to adopt adequate cybersecurity systems, whereas financial and industrial companies were the initial targets and have subsequently boosted their defences,” he said.
“This pushes cybercriminals towards industries perceived to be behind the curve. I would generally assume the hackers are looking for ransom payments rather than anything more nefarious.”
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.