Australian rare earth mining company Northern Minerals reported that cybercriminals stole sensitive corporate secrets from its systems shortly after the government forced several Chinese investors to divest their shares.

Northern Minerals, which owns the mineral-rich Browns Range project in Western Australia, announced Tuesday that it discovered the cybersecurity breach in late March. They enlisted the Australian Cyber Security Center, the Office of the Australian Information Commissioner, and external cybersecurity consultants to investigate.

"The stolen data included corporate, operational, financial information, and some details of current and former personnel and shareholders. Notifications to affected individuals are ongoing," said Northern Minerals. The incident did not materially impact operations or broader systems. However, some data has been released on the dark web.

The Browns Range project, rich in dysprosium and terbium essential for electric vehicles, wind turbines, and defense, is on the northern edge of the Tanami Desert. China currently mines 99% of the world's dysprosium.

The announcement followed Treasurer of Australia Jim Chalmers' order for five China-linked investors to divest their 10.4% shareholding. The decision aims to protect national interests and comply with the foreign investment framework.

The BianLian ransomware group listed Northern Minerals as a victim, claiming to have stolen 1.65 gigabytes of corporate data, including operational, strategic, geological, financial, competitor research, shareholder, potential investor, corporate email, and employee personal data.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported that BianLian has targeted U.S. and Australian critical infrastructure since June 2022, primarily for extortion. The group exploits compromised Remote Desktop Protocols and uses open-source tools for credential harvesting and data exfiltration. Recently, BianLian shifted to exfiltration-based extortion, aligning with Northern Minerals' statement that the breach did not affect broader systems or operations.

Although not classified as a nation-state actor, cybersecurity company Resecurity found links between BianLian and other ransomware groups with IP addresses traced to China.