The latest large-scale criminal attack on critical infrastructure shut down port operations across Australia over the weekend, prompting a backup of some 30,000 shipping containers that were unable to unload for several days. The attack, being characterized as a “cyber incident” by victim DP World Australia and still unattributed, appeared to have involved ransomware but without an accompanying ransom demand.
Outage at major logistics management firm scuttles Australian port operations, full recovery in progress
DP World Australia manages four of Australia’s container port operations, accounting for about 40% of the country’s total flow of goods. The company is a division of Dubai-based DP World, which has a presence in over 40 countries and handles about 10% of the world’s container traffic.
Port operations were down for about three days as DP World quickly pulled systems offline during the cyber incident and gradually restored them. Most of the outage took place over the November 11-12 weekend, with the company announcing that it had successfully tested and restored key systems the morning of Monday November 13.
The downtime was enough to back up some 30,000 shipping containers, however, which are taking some additional time to be processed. The company has cautioned that while the cyber incident is now considered contained and that operations are mostly normalized, there could continue to be disruptions to port operations in the coming days. There will be knock-on economic impact as some of the shipping containers reportedly held expensive imported foods, such as lobster and wagyu beef, and possibly health impacts as some contained blood plasma.
There does not appear to be a significant impact on the supply chain of basic everyday goods and essentials, however, as leading retailers Coles and Woolworths have said that they don’t anticipate any significant impact from the outcome of the cyber incident. Woolworths has added that its full range of Christmas inventory has already arrived in the country.
DP World has not named a perpetrator in the cyber incident, or released any substantial details about the nature of the attack. The swift shutdown of systems to the point of stopping port operations for several days would point to ransomware, however. The Australian Federal Police are investigating but have yet to release any further comment. None of the ransomware groups that maintain a dark web presence for data extortion purposes have publicly claimed an attack as of yet.
There is not yet any reported impact from the cyber incident on any of DP World’s other operations. The company makes over $10 billion annually from port operations at 82 terminals throughout the world, processing some 70 million containers in an average year. A representative from DP World said that it is subcontracting some of the work out to similar companies to more quickly clear up the Australia port backlogs.
Recent cyber incidents have rapidly changed Australia’s security climate
The attacks on Colonial Pipeline and JBS in 2021 were somewhat unprecedented in terms of real-world damage, putting critical infrastructure on the menu for criminal hacking groups i n a way that had not really been seen before. A very strong international law enforcement backlash seems to have prompted something of a lull, at least in larger countries that are economic powers, but that may now be over. The DP World cyber incident has echoes of the very recent attack on the Industrial and Commercial Bank of China (ICBC), which saw just its US branch of operations get hit in a way that caused some disruption to trading for several days.
Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd, elaborates on the level of damage this kind of attack could potentially do: “To me, what’s unique about this target is the outsized effect it can have on markets and supply chains. When viewed through the lens of global trade warfare, a shipping supply line, or the ports which enable them, become a pretty compelling target. In order to secure this sector, organizations and governments need to assess, prioritize, strengthen, and respond. It all starts with recognizing your value as a potential target, and considering what a motivated adversary might be able to achieve.”
Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start, adds: “The cyberattack on DP World Australia, a major ports operator, vividly illustrates the fragility of global supply chains to cyber threats. This disruption, which affected key Australian ports, underscores the necessity for robust cybersecurity strategies in critical infrastructure sectors. It emphasizes the interconnected nature of global trade and the potential for significant economic repercussions from such digital vulnerabilities. The recent cybersecurity breach at DP World Australia’s ports highlights the imperative role of government in safeguarding economic stability. This incident demonstrates the need for governments to prioritize and invest in cybersecurity measures, especially for critical infrastructures like ports. It underscores the importance of proactive government involvement to mitigate the economic risks posed by cyberattacks in a digitally-dependent world economy.”
The port operations disruption also comes as Australia has now been grappling with an increased volume of serious cyber attacks for about a year now, something that has prompted rapid legislative change to combat the issue. New rules adopted in February put tighter breach reporting requirements on companies and added harsher punishments for anyone in-country that might be caught participating in such attacks, but major attacks have continued to take place since. On Monday the government proposed tightening reporting requirements even further, making it mandatory for every organization in the country to report ransomware demands or payments. Telecoms companies are also facing strong new requirements under these terms as long-suffering Optus had a weekend outage that was traced back to router misconfiguration after a software upgrade.
DP World has also been dealing with potential disruptions to port operations that pre-date the weekend’s cyber incident. The Maritime Union of Australia is in the midst of negotiating pay increases for industry workers and has met with resistance from DP World and other related employers, responding with strikes and no-shows at works that have slowed deliveries at times.
Yossi Rachman, Director of Security Research at Semperis, expects to see similar attacks on the shipping industry this holiday season: “Cyberattacks against port authorities aren’t new and cyber criminals are fully aware of the disruptions that attacks cause. In fact, during this time of year, hackers will be attacking retailers and their suppliers with a fury because according to the National Retail Federation, holiday shopping revenues are expected to top $957 billion in the U.S. alone. Criminals also know that more retailers are likely to pay a ransom during the busy holiday season because they cannot afford any downtime. It is essential for retailers to know what their critical systems are (including infrastructure such as Active Directory) before attacks occur. If any retailer hasn’t taken this necessary step, it is too late for the 2023 holiday season, but that doesn’t mean they can’t start preparing now for 2024. Tabletop exercises that simulate critical systems’ recovery before an incident occurs are important. By preparing in advance, defenders can make their organizations so difficult to compromise that hackers will look for softer targets. Companies should also monitor for unauthorized changes occurring in their Active Directory environment which threat actors use in most attacks – and have real time visibility to changes to elevated network accounts and groups. In addition, roll out security awareness training to all employees in 2024 as the weakest link in an organization’s ecosystem are employees that unsuspectingly click on malicious links.”