Cyber espionage campaigns against the mining industry are largely geared towards ensuring interest groups have access to the latest technical knowledge and intelligence so they can maintain competitive advantage and thrive in the global commodities market. In this blog post, we illustrate this pattern with the case of the attacks involving the Potash Corporation. By doing so, we will be able to identify the motivations and goals of attackers targeting a key mining company.
Potash is a mined or manufactured mineral that contains Potassium. It is primarily used in manufacturing fertilizers and is a key component of a country’s food and agriculture industry. Based on investigations, the threat actors were looking to derail the $40B acquisition of the world’s largest potash producer (Potash Corporation of Saskatchewan) by BHP Billiton. These attacks started on September 2010 and were made public around in late 2011. Investigations in this case were successful up to IP address level.
The attacks – Making their way in, step by step
The attackers initially targeted the computer networks of seven Canadian law firms. The targeted law firms included the “Seven Sister” law firms, which refers to a group of seven leading law firms in Canada that were representing the different parties involved in the BHP Billiton takeover bid for Potash Corporation. The rationale of this strategy was to get hold of classified information that these law firms may have of the negotiations−including confidential information that could easily be used as leverage to influence the bid. There is no confirmed report that states that the Potash Corporation itself was directly targeted by the hackers. However, facts of the case point to the collection of sensitive information as the main objective of the attack..
In these attacks, spyware was used to capture confidential documents and exfiltrate them via spoofed mails. The attackers also targeted Canada’s Finance Ministry and Treasury Board by sending phishing emails appearing to be from an aboriginal group that is opposing the takeover. The email then directs the victims to a website that exploits browser vulnerability by installing spyware onto the victim’s computer through a drive-by download.
Motivation and goals of targeting mining companies
The goal of every cyber espionage campaign that is launched against the mining industry is to provide particular groups the competitive advantage in the market through access to the latest technical knowledge and intelligence. In the case of the attack involving the Potash Corporation, stolen insider information about the takeover bid for instance would give anyone possessing the data an unfair advantage during negotiations and thus derail the actual bid.
In this particular case, many of the actual attacks may have actually rather been decoys with the intention of distracting anyone tracing the activity to the hacker’s real objective of getting insider information about the BPH Billiton takeover bid for Potash Corporation in 2010 that ultimately was unsuccessful. The ultimate goal, however, was to use the insider information collected about the takeover bid in order to derail the actual bid. A competitive acquirer would enter as an alternate to BHP Billiton and might offer a higher price to shareholders than BHP Billiton, or create other incentives inorder to tip the takeover bid in their favor.
In our research paper, Cyber Threats to the Mining Industry, we examine modern mining industry practices and processes that will help identify vulnerable gaps that threat actors might be able to exploit. We also analyze the reasoning and motivations various threat actors in pursuing the mining sector. This paper does not look at specific targeted attack campaigns; instead, it provides a general and comprehensive view of the weaknesses existing in the mining sector.