AUSTRALIA
Op-Ed: what the Scope Systems cyber attack reveals about mining’s digital fragility
The recent ransomware attack targeting Scope Systems’ enterprise resource planning (ERP) software stack, which disrupted operations at dozens of mostly Australian mining companies that rely on the company’s cloud services, is a timely reminder of the escalating cyber threat environment facing the mineral extraction industry today.
Notably, Rob Labbe, CEO and CISO-in-Residence at the Mining and Metals ISAC (MM-ISAC) threat intelligence sharing consortium, described the Scope Systems hack as the “broadest-reaching cyber event the mining industry has ever experienced in terms of the number of companies impacted by a single third-party breach.”
On May 5, Perth-based Scope Systems, which specializes in enterprise IT solutions for the mining sector, publicly disclosed that it had suffered a cyber incident. At the time, the company reported that the attack was “preventing customer access to Pronto Xi hosted on the Scope Systems Cloud,” the company’s “support portal, and Scope Systems hosted services, including APIs,” according to the breach notice.
The threat actor “accessed the Scope Systems network for a short period of time (less than 24 hours),” according to the company’s cyber incident FAQ. Additionally, Australia’s two biggest gold miners, Northern Star Resources and Evolution Mining, were impacted by the attack, the Australian Financial Review reported.
Pronto Xi is an integrated ERP platform developed by Pronto Software, another Australian-based firm. Scope Systems is the largest global reseller and implementation partner for Pronto Xi and— using it as their product foundation—markets itself as a leader in providing ERP software to the mining industry worldwide. In fact, “more than 400 mining mining companies worldwide depend on Pronto Software’s Pronto Xi ERP,” according to a Pronto-sponsored article published in MINING.COM last year.
It should be noted, however, that 100 of Scope Systems’ 180+ mining customers (as of 2021) are based in Australia. Additionally, a significant core of their customer base consists of “smaller mining services companies” in Western Australia, according to a 2021 company blog post. So, excluding ASX-listed Northern Star and Evolution, the immediate blast radius of this incident appears more regional than global, even though Pronto Xi itself is widely used across the international mining sector.
Regardless, ERP systems are vital to modern mining operations because they integrate complex, asset-intensive processes like exploration data, production planning, maintenance, supply chains, and regulatory compliance into a single, real-time operational picture. Industry research consultants like Farmonaut note that the mining industry is “undergoing digital transformation at unprecedented speed,” and that mining ERP systems are “central to this movement.”
Thus, an attack affecting a widely used mining-sector ERP reseller like Scope Systems highlights the potentially outsized cybersecurity and operational risks associated with third-party technology dependencies in the resource extraction industry.
While Scope’s latest cyber incident update (dated May 18) notes that their recovery team had successfully restored all client servers from backups, and that the still unknown attacker had failed to access client servers, they cautioned that the adversary exfiltrated data from their internal server. Questions remain about the true magnitude of the attack.
Lingering questions
Beyond the identity of the ransomware variant used in this attack, Scope Systems has also not yet disclosed the attack vector that enabled the threat actor to hijack its cloud environment. This lack of transparency about the culprit and the attack chain places Scope’s claim that it has “not identified that the threat actor accessed client servers” under higher scrutiny.
There are two key questions that arise. What visibility did Scope Systems have at the hypervisor, storage, and backup layers? And how are they defining “client servers” — as customer virtual machines, logical tenants, or as a subset of infrastructure components? As of yet, these questions have not been clarified by the victim.
Overall, Scope’s preliminary view that client servers were untouched appears limited to guest‑level access within customer virtual machine environments. In a multi‑tenant cloud environment, however, a sufficiently privileged adversary who has obtained control over the hypervisor, management plane or underlying storage systems can potentially snapshot or clone customer virtual machines and export them to attacker‑controlled infrastructure without leaving obvious traces inside the guest OS.
Notably, hypervisor and control-plane hijacking—often described as cloud conscious attacks— have become increasingly favored by big-game hunting (BGH) ransomware crews like Akira, Cactus, Royal, and Cl0p, along with access‑broker groups like Scattered Spider that work with multiple ransomware programs.
Former cybercriminal Peter “Severa” Levashov, a onetime operator of the Kelihos botnet that enabled global, industrial‑scale cybercrime campaigns, told our threat intelligence team that “VM cloning/export is not a widely documented, routine RaaS TTP in public incident reporting.”
“Most of the public ESXi/vCenter ransomware reporting still centers on hypervisor access for impact: shutting down VMs, encrypting VMDKs/datastores, deleting snapshots, killing backups, and using vCenter/ESXi as a fast route to domain-critical systems,” he added. But Levashov cautioned that “once an attacker has vCenter or ESXi administrative control, VM cloning, VMDK copying, snapshot abuse, and disk attachment become technically available paths.”
This attack scenario is illustrated by a 2024 Cyber Intelligence Briefing published by S‑RM that details the Akira ransomware group’s sophisticated privilege escalation techniques. Specifically, the report shows how threat actors can leverage virtualization platforms to copy and mount VM disk images in ways that effectively bypass guest‑level logging and many endpoint controls.
After exploiting a vCenter vulnerability, Akira operators created their own VM on an ESXi host, powered down a domain controller, copied its virtual disk files and attached those disks to the attacker VM in order to extract NTDS.dit and the SYSTEM hive for offline credential cracking.
Yelisey Bohuslavskiy, the co-founder of threat intel firm Red Sense, who is engaged in Akira-related investigations told me “the same ESXi and vCenter privileges Akira used to copy and mount those VMDKs could just as easily be used to snapshot, clone or export entire virtual machines, reinforcing that hypervisor‑level ransomware actors already possess the technical capability to perform the kind of VM‑level data theft this paper warns about.”
Most of these attacks are financially motivated, but in a sector central to critical‑mineral supply chains, criminal and state interests increasingly blur. Some notable cybercrime groups that have been observed targeting the global mining sector over the past few years include Lynx (an offshoot of INC), the Gentleman, Tengu, Medusa, DragonForce, 0APT, BianLian, and the now defunct BlackBasta.
This escalation is unfolding just as mining companies race through digital transformation initiatives like rolling out cloud‑hosted ERP, pursuing AI‑driven process optimization, and integrating IIoT‑enabled monitoring across mines and processing plants. These Fourth Industrial Revolution (4IR) technologies bind previously isolated IT and OT networks together, creating new pathways from office systems into haul trucks, crushers and concentrators.
In this environment, a single compromised supplier, cloud platform, ERP system, or remote‑access tool can become a conduit for both data theft and cyber‑physical disruption. Notably, a 2024 survey on mining sector cyber risk published by OT security vendor Claroty found that 76% of respondents disclosed that “one or more cyber attack – and nearly half (41%) said five or more attacks – originated from third-party supplier access” to the cyber-physical systems (CPS) environment.
A lesson in resilience
As Scope’s independent forensic investigation continues, Labbe told me that the key takeaway from this historic attack was the theme of resilience.
“What we’re seeing in the Scope incident is a really stark split between organizations that treated their hosted ERP as someone else’s problem and those that built resilience into the design,” said Labbe.
“The miners that maintained their own, well‑tested backups of Scope‑hosted Pronto Xi were able to restore quickly and keep production moving with minimal disruption. The ones that didn’t have independent copies or workable failover paths were effectively dead in the water—prolonged outages, operational chaos, and real production losses. Scope’s outage was the shock, but resilience, or the lack of it, ultimately determined the impact.”
What makes incidents like the Scope Systems breach particularly consequential is not just the immediate operational disruption, but the broader strategic context in which they are unfolding. Mining is no longer a peripheral industrial sector. This vital industry sits at the center of intensifying geopolitical and geo-economic competition, underpinning everything from energy transition supply chains to defense industrial bases.
As nations compete for access to critical minerals such as lithium, rare earth elements (REEs), gold, and copper, the digital infrastructure that enables extraction, processing, and logistics becomes an increasingly attractive target not only for cybercriminals, but also for state-aligned actors seeking strategic advantage.
At the same time, the industry’s rapid embrace of cloud platforms, ERP centralization, and IT/OT convergence is dramatically expanding the attack surface in ways that outpace traditional security models. Systems that were once isolated are now deeply interconnected, and third-party technology providers have become critical nodes in operational continuity.
The end result is a structurally more fragile environment, where a single point of compromise can cascade across multiple organizations, regions, or supply chains. In this context, cybersecurity in the mining sector is no longer just an IT or operational risk — it is a systemic risk with national and global implications, unfolding amid historic geopolitical and geo-economic competition over critical mineral supply chains.
The Scope Systems incident may be the first of its kind for the mining sector — but it is unlikely to be the last.
BIO: Mark Rorabaugh is the president and CEO of InfraShield, a critical infrastructure cybersecurity firm specializing in the protection of nuclear power plants and a former Nuclear Regulatory Commission inspector who helped write the very regulations that govern nuclear plant cybersecurity today.
