Virtual Event Today: Supply Chain Security Summit - Register Now

Security Experts:

Connect with us

Hi, what are you looking for?



Chinese Threat Actor Targets Rare Earth Mining Companies in North America, Australia

Mandiant’s security researchers have been tracking influence campaigns that a Chinese threat actor named Dragonbridge has been conducting against rare earth mining companies in Australia, Canada, and the United States.

Mandiant’s security researchers have been tracking influence campaigns that a Chinese threat actor named Dragonbridge has been conducting against rare earth mining companies in Australia, Canada, and the United States.

Active since at least 2019, Dragonbridge has been using a network of thousands of inauthentic accounts on social platforms, websites, and forums to promote narratives in support of China’s political interests.

More recently, the threat actor has started a social media campaign focused on rare earth mining companies, including Lynas Rare Earths Ltd (Australia), Appia Rare Earths & Uranium Corp (Canada), and USA Rare Earth.

As Mandiant notes, the targeted industry is of strategic significance to China, with the three victim companies challenging the country’s supply chain dominance in the industry. Rare earth metals represent a critical component of consumer and military products, including aircraft engines and missile guidance systems.

The targeting of these companies falls in line with recent events that clearly impacted China: Lynas, the largest rare earths mining and processing company outside China, has signed a contract with the US Department of Defense for the construction of a Texas processing facility, USA Rare Earth is planning a processing facility in Oklahoma, and Appia has discovered a new rare earths bearing zone.

As part of the influence campaign, fake accounts, including some pretending to be of Texas residents, were used to call for protests and critique President Biden’s invocation of the Defense Production Act on March 31, 2022, to accelerate the production of critical minerals in the US.

“While the activity we detail here does not appear to have been particularly effective and received only limited engagement by seemingly real individuals, the campaign’s microtargeting of specific audiences suggest the possibility of using similar means to manipulate public discourse surrounding other U.S. political issues to the PRC’s advantage,” Mandiant noted.

The campaign claimed that the building of a rare earths processing facility in Texas would have a negative impact on the environment, exposing the local population to radioactive contamination and health problems.

The suspected inauthentic accounts posted messages on Twitter and on the public Facebook group “STOP LYNAS! NO to Lynas Exporting and Creating Another Toxic Legacy,” but received little engagement.

The posts were mainly in English, with some of the content in Chinese and Malay. The threat actor posted photos of Malaysian demonstrations against Lynas due to controversy regarding the disposal of radioactive waste at its facility in Kuantan. The influence campaigns targeting Appia and USA Rare Earth started in June.

“Accounts leveraged commentary by real individuals, such as U.S. politicians and commentators, to support their arguments against Lynas, its planned processing facility in Texas, and the Biden administration’s decision to expedite production of critical minerals,” Mandiant noted.

The security researchers discovered that the threat actor had created new accounts to promote the same narratives promoted by previously identified Dragonbridge accounts, all of which have shown similar indicators of inauthenticity and coordination, such as the use of photos from online sources, the use of seemingly random numeric strings in account names, and the creation of accounts in clusters.

“In addition to the accounts’ posting of identical or similar rare earths-related content, we also observed some of the accounts post identical or similar apolitical content, such as inspirational quotes, wellness, travel, and sports content,” Mandiant said.

Related: Facebook Battles Cyber Campaigns Targeting Ukraine

Related: Facebook Adapts Defenses as Deception Campaigns Go Stealth

Related: Russia-Linked ‘Ghostwriter’ Disinformation Campaign Tied to Cyberspy Group

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...