Lithium, copper, and cybercrime: why Latin American mining became a target for attacks

By: Pablo García, Cyber BDM of TIVIT Latam

Cyberattacks targeting the mining sector have doubled in the last year. But the real problem isn't the quantity, it's the speed. Imagine this: Monday at 6:00 AM, your IT team discovers that your operation's data has appeared on a Dark Web forum. The problem is, no one detected any intrusion. The attackers got in, exfiltrated information, and posted it, all before anyone knew anything was wrong.

This is not fiction. According to the Mining and Metals ISAC, this tactic has become common: attackers are now publishing stolen data before the company even knows it has been breached. They no longer negotiate. They go straight to public extortion.

Why mining? Because it’s the perfect target. Mining operations run 24/7, rely on systems that cannot be shut down, and handle minerals that are now strategic to global geopolitics. The MM-ISAC reports that incidents in the sector doubled in the first quarter of 2025. It is no coincidence that 60% of these attacks are concentrated on operations linked to critical minerals.

Latin America has one of the largest reserves of critical minerals on the planet, and this has not gone unnoticed by cybercriminal groups, which is why attacks are increasing and becoming more sophisticated.

But the real challenge isn't the number of attacks. CrowdStrike documented that the average time it takes for an attacker to move laterally through a network, after initial access, is 48 minutes. The fastest recorded case: 51 seconds. If your security team takes hours or days to detect an anomaly, the attacker has already won.

Faced with this pressure, many companies choose to pay the ransom. Claroty found that 43% of the affected mining companies paid more than a million dollars to restore their systems. The problem: 83% of those who paid were attacked again. Paying doesn’t buy security; it buys time before the next attack.

And how do they get in? In three out of four cases, the attack originated through an external provider: the maintenance contractor, the systems integrator, the software provider. All with legitimate access. All potential attack vectors.

Total visibility in OT, detection with AI that acts in minutes, and zero trust in suppliers. If your strategy doesn't have these three elements, you need to re-evaluate it.

The industry has grasped the magnitude of the problem. In 2023, the region's main mining companies created CC MIN (Mining Cybersecurity Corporation), an association exclusively dedicated to strengthening cybersecurity and protecting the mining sector. In 2025, it signed a strategic alliance with the global MM-ISAC.

The message is clear, this is no longer solvable on its own. And the question each mining executive must ask themselves today is simple: can their operation detect and respond to an attack in under 48 minutes? Because attackers already can.