ncsc.admin.ch Office fédéral de la cybersécurité OFCS 09.09.2025 -
L’OFCS enregistre actuellement de nombreux signalements concernant des SMS prétendant être des amendes de stationnement en Suisse romande. Il est frappant de constater que les personnes concernées par ces SMS de phishing se trouvent toujours au préalable dans des lieux similaires. Cela indique que les cybercriminels utilisent dans ces cas des outils techniques permettant de manipuler l’envoi de SMS. À l’aide de petites stations de téléphonie mobile portables et manipulées, qui tiennent dans un sac à dos, les fraudeurs peuvent par exemple capter le signal mobile des téléphones et envoyer ainsi des SMS aux appareils situés à proximité.
Au cours des dernières semaines, le service de signalement de l’OFCS a reçu de nombreux signalements concernant des tentatives d’hameçonnage par SMS envoyés à des personnes en Suisse romande. Les tentatives d’hameçonnage par le biais de prétendues amendes de stationnement sont un phénomène connu et sont régulièrement signalées à l’OFCS. Les personnes concernées reçoivent des e-mails ou des SMS de cybercriminels se faisant passer pour des policiers, leur indiquant qu’elles ont un retard de paiement d’une amende. Le message contient un lien vers une fausse page de paiement qui ressemble à s’y méprendre au portail officiel des autorités. Les demandes sont délibérément formulées de manière vague afin de toucher le plus grand nombre possible de destinataires. L’objectif des malfaiteurs est de récupérer les données de cartes de crédit ou d’autres informations personnelles.
Alors que les fausses contraventions ont principalement été envoyées par e-mail ces dernières semaines, elles sont désormais envoyées par SMS.
SMS avec la fausse amende de stationnement (à gauche). Le lien renvoie vers un faux site web sur lequel il faut payer l’amende et saisir les données de sa carte de crédit.
SMS avec la fausse amende de stationnement (à gauche). Le lien renvoie vers un faux site web sur lequel il faut payer l’amende et saisir les données de sa carte de crédit.
Tous les destinataires en Suisse romande
Les nouveaux signalements présentent en outre un élément commun notable. Tous les destinataires se trouvaient dans la même zone géographique dans la romandie, peu avant la réception du SMS. Cette constatation laisse supposer l’existence d’une méthode permettant aux fraudeurs d’envoyer des SMS de manière ciblée à leurs victimes. Un signalant a fourni une autre information précieuse : la norme de téléphonie mobile de son smartphone est passée de la 4G à la 2G peu avant la réception du SMS. Il a ensuite reçu le SMS contenant le lien frauduleux, après quoi le standard est repassé à la 4G. Tous ces indices suggèrent que les attaquants utilisent ce qu’on appelle un « SMS Blaster ».
Une nouvelle dimension : le phishing via SMS Blaster
Un SMS Blaster permet d’envoyer des messages texte (SMS) à plusieurs personnes simultanément. Il s’agit d’un appareil mobile, de la taille d’un boîtier d’ordinateur, qui se fait passer pour une antenne-relais de téléphonie mobile. Les cybercriminels cachent ces appareils dans des coffres de voiture, des sacs à dos ou les transportent à vélo. L’appareil émet un signal puissant et demande à tous les smartphones situés dans un rayon de 500 à 1 000 mètres de se connecter à lui.
L’astuce perfide : l’appareil se fait passer pour la meilleure station de base disponible. Dès que votre smartphone se connecte, vous recevez automatiquement un faux SMS, sans que les fraudeurs aient besoin de connaître votre numéro de téléphone. Il existe également des mécanismes qui garantissent qu’un appareil ne se connecte qu’une seule fois à la fausse station de base mobile pendant une période donnée et ne reçoit le SMS qu’une seule fois, de sorte que l’attaquant peut circuler plusieurs fois autour du même site.
Comment fonctionne ce type d’attaque ?
Les SMS Blaster sont une évolution des IMSI Catcher. Les IMSI Catcher sont des appareils qui permettent de lire l’International Mobile Subscriber Identity (IMSI) enregistrée sur la carte SIM d’un téléphone portable et de localiser un téléphone portable à l’intérieur d’une cellule radio. Les SMS Blaster exploitent cette technologie en combinaison avec une faille dans la norme de téléphonie mobile 2G obsolète : les IMSI Catcher associés à cette faille sont utilisés pour envoyer des SMS aux appareils des utilisatrices et utilisateurs à l’insu de leur opérateur mobile. Cela permet de contourner les filtres SMS mis en place et étendus par l’opérateur, seuls les filtres installés sur l’appareil (le cas échéant) restant actifs.
Sur le plan technique, il s’agit de fausses stations de base de téléphonie mobile (FBS) qui se connectent à un réseau mobile et se font passer pour des cellules radio légitimes.
Une séquence typique :
Les appareils envoient un signal puissant pour inciter les téléphones portables situés à proximité à se connecter à eux.
L’appareil force le téléphone portable à passer en 2G, un réseau obsolète présentant des failles connues.
Une autre faille permet d’envoyer directement à l’appareil n’importe quel SMS avec un expéditeur falsifié.
Le numéro de l’expéditeur ne peut être ni vérifié ni bloqué, car il peut être choisi librement.
La lutte contre ces menaces passe par la coopération
L’OFCS est conscient de la menace que représente SMS Blaster et collabore étroitement avec les polices cantonales, les entreprises de télécommunication, le Service de renseignement de la Confédération (SRC) et l’Office fédéral de la communication (OFCOM) afin de contrer ce phénomène.
Recommandations
Méfiez-vous des SMS qui vous demandent d’effectuer un paiement, en particulier ceux qui font état d’amendes de stationnement.
Ne cliquez pas sur les liens contenus dans des SMS suspects.
Ne saisissez jamais vos données personnelles ou vos numéros de carte de crédit sur des sites inconnus.
Vérifiez toujours les demandes directement auprès des autorités officielles.dans des lieux similaires. Cela indique que les cybercriminels utilisent dans ces cas des outils techniques permettant de manipuler l’envoi de SMS. À l’aide de petites stations de téléphonie mobile portables et manipulées, qui tiennent dans un sac à dos, les fraudeurs peuvent par exemple capter le signal mobile des téléphones et envoyer ainsi des SMS aux appareils situés à proximité.
san.com straightarrownews Sep 08, 2025 at 06:20 PM GMT+2
Mikael Thalen (Tech Reporter)
Summary
Sensitive data leaked
More than 2,000 files linked to former U.K. Prime Minister Boris Johnson were stolen by hackers and leaked online.
‘Devastating’ breach
Cybersecurity experts describe the leak as a serious exposure of data belonging to a world leader.
‘High-priority target’
A former U.K. official says the breach could be related to an influence campaign by a foreign adversary.
Full story
Leaked computer files tied to former U.K. Prime Minister Boris Johnson offer an unprecedented glimpse into a scandal over COVID-19 protocols, his response to the Ukraine war and his private views on world leaders, including Russian President Vladimir Putin. The hack also found documents pitching a reality television show.
Taken together, the files paint an intimate portrait of the former politician’s day-to-day activities, including during his time as prime minister from 2019 to 2022.
Straight Arrow News obtained the more than 2,000 files from the nonprofit leak archiver DDoSecrets. Unidentified hackers quietly posted the data online last year, according to DDoSecrets co-founder Emma Best, but it has not been previously reported.
SAN sent an inquiry to Johnson’s office, where the data appears to have originated, as well as to Johnson’s personal email address, but did not receive a reply.
Little is known about the details surrounding the breach and those responsible. But cybersecurity experts describe the data leak as a serious exposure of information in the hands of a world leader.
“It’s obviously a devastating compromise if personal emails, documents and the like have been collected and breached,” Shashank Joshi, visiting fellow at the Department of War Studies at King’s College London, told SAN.
World leaders are regularly targeted by both criminal and nation-state hackers. In 2020, according to researchers at Citizen Lab, the University of Toronto-based group that specializes in spyware detection, multiple phones at Johnson’s office and the foreign office were compromised.
That attack, which Citizen Lab linked to the United Arab Emirates, was carried out with the advanced Israeli-made spyware known as Pegasus. Both the UAE and NSO Group, the company behind the spyware, denied involvement.
Rob Pritchard, the former deputy head of the U.K.’s Cyber Security Operations Centre and founder of the consulting firm The Cyber Security Expert, told SAN that it is entirely possible that the hack of Johnson could be tied to an influence operation from a foreign adversary.
“I think this really highlights the importance of ensuring good practices when it comes to cybersecurity, especially for high-profile individuals,” Pritchard said. “Ex-prime ministers will undoubtedly still be very high-priority targets for a range of countries, and their private office will hold sensitive information, if not actually classified information in the strict sense.”
‘Security briefing: Nuclear’
A folder titled “Travel” underscores the hack’s intrusiveness.
It includes photos of Johnson’s passport and driver’s license, as well as his visa information for Australia, Canada, Kurdistan, Saudi Arabia and the U.S. Identifying documents for family and staff are also present.
Itineraries outlining visits to numerous countries offer insight into Johnson’s routine. One U.S. visit, which does not include a date but appears to have been during President Donald Trump’s first term, shows efforts by Johnson to meet prominent politicians, such as Sen. Ted Cruz, R-Texas, former National Security Adviser John Bolton, former United Nations Ambassador Nikki Haley and Florida Gov. Ron DeSantis.
Other itineraries, including one for a November 2023 visit to Israel, mention Johnson’s security measures. The document states that although Johnson did not bring a protection force of his own, “4 Israeli private security agents” would look after his group while “on the ground.”
Documents related to a November 2022 visit to Egypt show the names and phone numbers of two individuals tasked with protecting Johnson while in the city of Sharm El-Sheikh. The travel folder also contains documents related to VIP suite bookings at London Gatwick Airport and COVID-19 vaccination records for those traveling with Johnson.
Another folder called “Speeches” contains dozens of notes and transcripts for talks by Johnson both during and after his tenure. Invoices show how much Johnson charged for several speaking engagements in 2024 after leaving office, including $350,000 for a speech to Masdar, a clean energy company in the UAE. After deductions, however, Johnson appears to have pocketed $94,459.08.
The usernames, passwords, phone numbers and email addresses used for Johnson’s accounts on Facebook, Instagram, Twitter, LinkedIn, Snapchat and Threads are exposed as well in a file marked “confidential.”
Another folder, labeled “DIARY,” includes Johnson’s daily schedules, marked as both “sensitive” and “confidential,” during his time as prime minister. One schedule from July 2019 simply states, “Security briefing: Nuclear.” Another entry from that month: “Telephone call with the President of the United States of America, Donald Trump.”
‘Partygate’
A folder titled “Notebooks” includes scans of hundreds of pages of Johnson’s handwritten notes. Many sections have been redacted with “National Security” warnings.
SAN confirmed that the documents are related to the U.K.’s independent public inquiry into the COVID-19 pandemic, which required Johnson to hand over copies of his diaries and notebooks. Although many of the documents related to the inquiry were made public, those obtained by SAN were not.
The investigation found that Johnson attended numerous social gatherings during the pandemic in breach of COVID-19 lockdown regulations. The ensuing scandal, known as “Partygate,” ultimately led to Johnson’s resignation.
In one notebook entry dated March 19, 2020, Johnson writes that “some very difficult rationing decisions” would be required because of the pandemic’s strain on the U.K.’s medical system.
Another entry regarding the 2021 G7 summit in Cornwall, England, highlights the issues Johnson planned to discuss with numerous world leaders, including former President Joe Biden, French President Emmanuel Macron and former German Chancellor Angela Merkel.
‘It would only take one missile’
The data cache contains 160 emails from the first 22 months following Johnson’s tenure as prime minister. They appear to have come from the account of Johnson’s senior adviser.
These emails discuss Johnson’s private endeavors, including a document pitching a reality TV show to popular streaming platforms, complete with AI-generated photos of the former world leader.
One of the later emails contained in the breach, dated June 10, 2024, shows attempts by the U.K.’s National Security Secretariat to schedule a meeting with Johnson regarding “a sensitive security issue” almost two years after he left office.
The email, sent on behalf of Deputy National Security Adviser Matt Collins, noted a “strong preference” for an in-person meeting with the former prime minister. It’s unclear what spurred the meeting request and whether it was related to the breach.
The final folder from the leaked data involves the Russian invasion of Ukraine.
Notes on a widely reported phone call between Johnson and Russian President Vladimir Putin from February 2022 offer insight into the former prime minister’s thinking. The conversation is described by Johnson, who makes specific mention of Putin’s use of profanity, as “weirdly intimate in tone.”
Johnson also claims that Putin said, “I don’t want to hurt you boris but it would only take one missile.”
Johnson later revealed the threat in a 2023 documentary by the BBC. A Kremlin spokesperson responded by calling the claim a “lie.”
In another entry dated “25 October,” Johnson reminds himself to “call Putin” with an invite to a United Nations Climate Change Conference. Johnson notes that such events are “not really his bag since it is all about moving beyond hydrocarbons and he is paranoid about covid.”
The leak also contains a U.K. Defense Intelligence document dated December 2022 regarding the status of a nuclear power plant in Ukraine. The document includes numerous classification labels, such as sensitive, which denotes that it is not intended for public release. Other markings show that the document may only be shared with international partners in the European Union, NATO, Australia and New Zealand.
The U.K.’s Cabinet Office, which supports the prime minister, did not provide a statement when contacted by SAN.
Alan Judd (Content Editor) and Devin Pavlou (Digital Producer) contributed to this report.
databreaches.net Posted on September 8, 2025 by Dissent
Some data breaches make headlines for the number of people affected globally, such as a Facebook scraping incident in 2019 that affected 553 million people worldwide. Then there are breaches that affect a country’s entire population or much of it, such as a misconfigured database that exposed almost the entire population of Ecuador in 2019, an insider breach that compromised the information of almost all Israelis in 2006, a misconfigured voter database that exposed more than 75% of Mexican voters in 2016, and the UnitedHealth Change Healthcare ransomware incident in 2024 that affected more than 190 million Americans.
And now there’s Vietnam. ShinyHunters claims to have successfully attacked and exfiltrated more than 160 million records from the Credit Institute of Vietnam, which manages the country’s state-run National Credit Information Center. Vietnam National Credit Information Center is a public non-business organization directly under the State Bank of Vietnam, performing the function of national credit registration; collecting, processing, storing and analyzing credit information; preventing and limiting credit risks; scoring and rating the credit of legal entities and natural persons within the territory of Vietnam; and providing credit information products and services in accordance with the provisions of the State Bank and the law.
While those affiliated with ShinyHunters bragged on Telegram that Vietnam was “owned within 24 hours,” ShinyHunters listed the data for sale on a hacking forum, and provided a large sample of data from what they described as more than 160 million records with “very sensitive information including general PII, credit payment, risks analysis, Credit cards (require you’re own deciphering of the FDE algorithm), Military ID’s, Government ID’s Tax ID’s, Income Statements, debts owed, and more.”
DataBreaches asked ShinyHunters for additional details about the incident, including how many unique individuals were in the data, because the country’s entire population is slightly under 102 million. ShinyHunters responded that the data set included historical data. They stated that they did not know how many unique individuals were involved, but were pretty sure they got the entire population.
Because this incident did not seem to be consistent with ShinyHunters’ recent campaigns, DataBreaches asked how they picked the target and how they gained access. According to ShinyHunters, they picked the target because it held a massive amount of data. The total amount or records (line) across all tables was like 3 billion or more, they said, and they gained access by an n-day exploit. On follow-up, DataBreaches asked whether this was an exploit that CIC could have been able to patch. There was no actual patch available, Shiny stated, as the software was end-of-life.
In response to a question as to whether the CIC had responded to any extortion or ransom demands, ShinyHunters stated that there had been no ransom attempt at all because ShinyHunters assumed they would not get any response at all.
DataBreaches emailed the CIC to ask them about the claims, but has received no reply by publication. If CIC responds to DataBreaches’ inquiries, this post will be updated, but it is important to note that there is no confirmation of ShinyHunters’ claims at this point, however credible their claims may appear.
It is also important to note that this post has referred to this as an attack by ShinyHunters and has not attributed it to Scattered Spider or Lapsus$. When DataBreaches asked which group(s) to attribute this to, ShinyHunters had replied, “It wasn’t a Scattered Spider type of hack … so ShinyHunters.” ShinyHunters acknowledged that they need to deal with the name situation, but said, “I don’t know how to fix the name problem considering for years everyone thought both are completely different groups.”
oxfordmail.co.uk | Oxford Mail By Madeleine Evans
Digital reporter
The Clarkson's Farm presenter said The Farmer's Dog pub in Burford has been the latest victim of cyber criminals, the same ones who launched massive attacks on M&S and Co-op in recent months.
Writing in his Sun column, the TV presenter-turned-farmer explained that the popular country pub had been hit too.
The former journalist wrote: "So, Jaguar Land Rover had to shut down its production lines this week after systems were breached by computer hackers. And we are told similar attacks were launched in recent months on both M&S and the Co-op.
"But no one thought to mention that my pub, The Farmer’s Dog, has been hit too. It was though.
"Someone broke into our accounting system and helped themselves to £27,000."
The former Top Gear host purchased The Windmill pub in Asthall near Burford for around £1,000,000.
The pub reopened to the public one year ago on August 22, 2024, at midday after being renamed The Farmer’s Dog.
Since it's opening, the 65-year-old celebrity owner has described running it as "more stressful" than running the farm.
The cyber attack comes as the latest set back in a string of difficulties facing the Diddly Squat farmer, as he's come up against local councils, Oxfordshire residents and farming issues all documented in his hit Amazon Prime series Clarkson's Farm.
Series four of the documentary show was released across May and June this year, with eight new episodes dropping on Prime Video.
therecord.media The Record from Recorded Future News, Jonathan Greig
September 9th, 2025
New York Blood Center submitted documents to regulators in Maine, Texas, New Hampshire and California that confirmed the cyberattack, which they said was first discovered on January 26.
One of the largest independent blood centers serving over 75 million people across the U.S. began sending data breach notification letters to victims this week after suffering a ransomware attack in January.
New York Blood Center submitted documents to regulators in Maine, Texas, New Hampshire and California that confirmed the cyberattack, which they said was first discovered on January 26.
The organization left blank sections of the form in Maine that says how many total victims were affected by the attack but told regulators in Texas that 10,557 people from the state were impacted. In a letter on its website, New York Blood Center said the information stolen included some patient data as well as employee information.
The information stolen during the cyberattack includes names, health information and test results. For some current and former employees, Social Security numbers, driver’s licenses or government ID cards and financial account information were also leaked.
An investigation into the attack found that hackers accessed New York Blood Center’s network between January 20 and 26, making copies of some files before launching the ransomware.
Founded in 1964, New York Blood Center controls multiple blood-related entities that collect about 4,000 units of blood products each day and serve more than 400 hospitals across dozens of states.
The organization also provides clinical services, apheresis, cell therapy, and diagnostic blood testing — much of which requires receiving clinical information from healthcare providers. The organization said some of this information was accessed by the hackers during the cyber incident.
The investigation into the ransomware attack was completed on June 30 and a final list of victims that needed to be notified was compiled by August 12.
New York Blood Center began mailing notification letters on September 5 but also posted a notice on its website and created a call center for those with questions.
Multiple blood donation and testing companies were attacked by ransomware gangs over the last year including OneBlood, Synnovis and South Africa’s national lab service.
The Record from Recorded Future News Jonathan Greig
September 10th, 2025
Nearly 200,000 Solana coins were stolen from SwissBorg, or about 2% of its assets, according to the platform's CEO. The company pledged to pay users back.
The SwissBorg platform said about $41 million worth of cryptocurrency was stolen during a cyber incident affecting a partner company this week.
The Switzerland-based company confirmed industry reports of an incident but said its platform was not hacked. CEO Cyrus Fazel explained that an external decentralized finance wallet held by a partner was breached on Monday.
The stolen funds represent 2% of SwissBorg’s total assets, according to Fazel, and about 1% of users had cryptocurrency stolen. In total, 192,600 Solana (SOL) coins were stolen — which is worth more than $41 million as of Tuesday afternoon.
In an update on Tuesday, the company pledged to make all affected customers whole and is still investigating the incident.
SwissBorg officials said they are working with several blockchain security firms to investigate the incident and thanked Chainalysis as well as cryptocurrency investigator ZachXBT and others for their assistance in addressing the issue.
The partner company that was attacked, Kiln, released its own statement confirming that it was suffering from a cyberattack and said the root cause has been discovered. Kiln is a cryptocurrency infrastructure company.
“SwissBorg and Kiln are investigating an incident that may have involved unauthorized access to a wallet used for staking operations. The incident resulted in Solana funds being improperly removed from the wallet used for staking operations,” Kiln said in a blog post.
“Upon detection, SwissBorg and Kiln immediately activated an incident response plan, contained the activity, and engaged our security partners. SwissBorg has paused Solana staking transactions on the platform to ensure no other customers are impacted.”
Experts explained that the attack was sourced back to Kiln’s application programming interface (API) — which is used by SwissBorg to communicate with Solana. The hackers breached the API and stole funds through it.
Swissborg said it is also working with law enforcement on the incident and is trying to recover the stolen funds.
Fazel published a video about the incident, telling users that the platform has dealt with multiple cyberattacks in the past.
“We have all the agencies around the world that are really helping us to make sure that we are looking at every transaction. Some of the transactions actually have been blocked. All the different exchanges around the world are helping us,” he said.
“We have enough funds, and we'll find a compensation that will match your expectation. We are doing everything in our effort to make sure that this incident, as big as it is, will eventually be a small drop in the ocean of SwissBorg.”
The attack comes less than a month after a popular cryptocurrency platform in Turkey temporarily suspended deposits and withdrawals following the theft of $49 million worth of coins.
Overall, more than $2 billion in cryptocurrency was stolen by hackers in the first half of 2025, according to the blockchain security firm Chainalysis.
by Sansec Forensics Team - sansec.io
Published in Threat Research − September 08, 2025
Adobe released an out-of-band emergency patch for SessionReaper (CVE-2025-54236). The bug may hand control of a store to unauthenticated attackers. Automated abuse is expected and merchants should act immediately.
Article updated: Sep 9th, 2025 13:48 UTC
Adobe broke their regular release schedule to publish a fix for a critical (9.1) flaw in all versions of Adobe Commerce and Magento. The bug, dubbed SessionReaper and assigned CVE-2025-54236, allows customer account takeover and unauthenticated remote code execution under certain conditions. Sansec was able to simulate the attack and so may less benign parties. It does not help that the Adobe patch was accidentally leaked last week, so bad actors may already be working on the exploit code.
Adobe's official advisory describes the impact as "an attacker could take over customer accounts," which does not mention the risk of remote code execution. The vulnerability researcher who discovered CVE-2025-54236 confirmed this on Slack:
"Blaklis
BTW, this is a potential preauth RCE, whatever the bulletin is saying.
Please patch ASAP"
SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022) and CosmicSting (2024). Each time, thousands of stores got hacked, sometimes within hours of the flaw being published.
Timeline
Aug 22nd: Adobe internally discusses emergency fix
Sep 4th: Adobe privately announces emergency fix to selected Commerce customers
Sep 9th: Adobe releases emergency patch for SessionReaper - CVE-2025-54236 in APSB25-88What merchants should do
If you are already using Sansec Shield, you are protected against this attack.
If you are not using Sansec Shield, you should test and deploy the patch as soon as possible. Because the patch disables internal Magento functionality, chances are that some of your custom/external code will break. Adobe published a developer guide with instructions.
If you cannot safely apply the patch within the next 24 hours, you should activate a WAF for immediate protection. Only two WAFs block this attack right now: Adobe Fastly and Sansec Shield.
If you did deploy the patch but not within 24 hours of publication, we recommend to run a malware scanner like eComscan to find any signs of compromise on your system. We also recommend to rotate your secret crypt key, as leaking it would allow attackers to update your CMS blocks indefinitely.
How the attack works
Our security team successfully reproduced one possible avenue to exploit SessionReaper, but there are likely multiple vectors. While we cannot disclose technical details that could aid attackers, the vulnerability follows a familiar pattern from last year's CosmicSting attack. The attack combines a malicious session with a nested deserialization bug in Magento's REST API.
The specific remote code execution vector appears to require file-based session storage. However, we recommend merchants using Redis or database sessions to take immediate action as well, as there are multiple ways to abuse this vulnerability.
Active exploitation
Sansec tracks ecommerce attacks in real-time around the globe. We have not seen any active abuse yet but will update this section when we do.
Follow live ecommerce attacks here.Acknowledgements
Credits to Blaklis for discovering the flaw.
Thanks to Scott Robinson, Pieter Hoste and Tu Van for additional research.
Sansec is not affiliated with Adobe and runs unbiased security research across the eCommerce ecosystem. Sansec protects 10% of all Magento stores worldwide.