Nippon Steel, the world’s fourth-largest crude steel producer, has allegedly suffered a ransomware attack at the hands of the BianLian ransomware group. It keeps the steel manufacturing giant front and center in the news after an already tumultuous start to 2025.
The ransomware group posted the Tokyo-headquartered steel-making company on its dark leak site Thursday, claiming to have stolen 500 GB of data from Nippon’s US division networks.
Nippon Steel, which is the largest steel manufacturer in Japan with 10 branches, also has manufacturing bases and offices in over a dozen countries across Asia, North, Central, and South America, Europe, the Middle East, and Africa, according to its website.
The publicly traded company lists over 113,000 employees worldwide and an annual revenue of 8.78 trillion in Japanese Yen, the equivalent of about $57.5 billion, according to the Financial Times.
The group claims to have exfiltrated a plethora of sensitive information from the steel behemoth, such as:
- Accounting data
- Client financial and personal data
- Network uses personal folders
- Files from Management PCs
- Fileserver data
- Production data
- Personal [personnel] data
BianLian additionally posted the personal contact information, including direct phone numbers and business email addresses, to the company's C-suite executives, including Nippon Steel CEO and Chairman Eiji Hashimoto and Nippon Steel President Hiroshi Moto.
Ransomware timing is everything
The timing of the attack couldn’t be worse for Nippon. The global company has been splashed across the front page of industry headlines since a $15 million merger with US Steel, first proposed in 2023, was blocked by US President Joe Biden in January after growing opposition from anti-trust advocates and national security hawks.
On January 7th, Nippon announced it was suing the Biden administration for “illegally” blocking the proposal for political purposes.
So how does this factor into BianLian's purported ransomware attack?
First noted by the open-source ransomware tracker RansomLook, BianLian lists Nippon under its manufacturing section and as one of its US victims, although the multi-faceted company states it has four business segments: steelmaking, engineering, chemicals, and system solutions, as well as its own research and development division.
BianLian also posted a data sample on its dark blog, which appears to depict a breakdown of Nippon’s potential merger with US Steel, before and after.
Legal battles aside, since President Donald Trump took office on January 20th, some sort of deal between the two companies appears to be moving towards a resuscitation.
On Friday, Trump, who is still against a full buyout, said he would not mind if Nippon took a minority stake in US Steel, doubling down on comments he made last week giving the OK for Nippon to partially invest in the American steel maker, reported Bloomberg News.
Apparently, Trump’s February 7th comments had blindsided both companies (who denied ever communicating directly with Trump about the matter) and sent shares tumbling, the news outlet said.
Nippon on Friday has now said it will present an alternative deal between the steel giants.
This is where it gets interesting. Ironically, when Cybernews went to BianLian’s onion site on Friday to confirm the leak was posted, Nippon was mysteriously absent from BianLian’s list of victims.
BianLian, in its original post, had written that the data from Nippon Steel would be "available soon" and that it would be "published block by block, so stay tuned for updates of this company."
This leads us to speculate that Nippon may be in the process of negotiating to pay a ransom demand to avoid any financial and/or reputational fallout in case a deal comes to fruition.
Cybernews has reached out to Nippon Steel’s US division and is waiting for a response.
Who is BianLian?
The BianLian ransomware group appeared on the cybercriminal circuit back in June 2022, although the group is considered by experts as a relatively inexperienced one.
The group develops and deploys its own ransomware variant, mainly targeting critical infrastructure sectors in the US and Australia, according to a 2023 advisory alert by the US Cybersecurity and Infrastructure Security Agency (CISA).
BianLian, which tends to go after small and midsize businesses, has since branched out to claim victims in the medical, professional, and real estate industries, including the US Better Business Bureau (BBB) and Affiliated Dermatologists in mid-2024. Attacks on other high-profile victims, such as Air Canada, Tennessee State University, and Ashley Furniture, were carried out in 2023.
The Cybernews Ransomlooker tool shows in the past 12 months, BianLian has carried out rougly 140 attacks.
The gang is also said to have evolved from first stealing data and then encrypting its victims’ systems – known as double extorsion – to a mainly data exfiltration-based extortion model, according to an updated CISA and FBI joint advisory from November.
The threat actors, believed to be of Russian origin, typically gain access to victims through the use of valid Remote Desktop Protocol (RDP) credentials, using open-source tools and command-line scripting for discovery and credential harvesting, the warning bulletin stated.
Once a system is breached by BianLian, the attackers are known to “create custom back doors for each victim and install remote management and access software for persistence and command and control,” the advisory said.
Your email address will not be published. Required fields are markedmarked