.png)
Date: 13/11/2023
Where:
Australia (Sydney, Melbourne, Brisbane, and Fremantle)
Who’s involved:
Dubai Ports International (DP World) Australia, Australian Government, Undisclosed Threat Actor
What happened?
There was a significant cyber security incident first detected late on Friday, 10/11/2023 involving major Australian ports operated by DP World Australia, the country’s largest container terminal operator. They are responsible for handling 40% of maritime freight at their respective ports.
This incident has led to the shutdown of ports in Melbourne, Sydney, Brisbane, and Fremantle.
Activities from DP World Australia were halted from 10/11/2023 until 13/11/2023.
DP World Australia considered the incident so significant that it took its systems offline for quarantine.
The Australian government has acknowledged the severity of the situation, describing it as a “significant cyber security incident” that could last several days. The response is being coordinated at a governmental level, with efforts underway to assess the full extent of the impact on port infrastructure.
On the morning of 13/11/2023, DP World Australia said that they would resume operations in a “gradual manner” as the investigation continues. No additional details about a specific threat actor or what systems were impacted have been provided at this time. Statements are still being published about hundreds of containers holding up traffic.
Analysis
The fact that DP World Australia had to disconnect its systems from the internet suggests a breach with potential for extensive network infiltration, possibly a ransomware attack or an advanced persistent threat (APT), a highly skilled threat actor that may have been planning the attack for some time.
The lack of ransom demands, however, might indicate a different motive such as espionage, disruption, or a state-sponsored attack aiming to destabilize critical infrastructure.
Considering the scale and impact, this could be the work of a sophisticated cybercriminal group or a state-sponsored entity. The choice of target – a major port operator – hints at possible geopolitical motivations, suggesting the involvement of a nation-state actor or an APT group with backing from a nation-state.
China is regarded as Australia’s primary regional competitor in exports. Given its recent history of engaging in cyberespionage with many of its neighbors–including The Philippines, Malaysia, Japan, and Singapore–a China-based APT would be a highly plausible culprit. That said, China is not the only nation housing threat actors with these capabilities, and isn’t the only regional power that would stand to gain from crippling these shipments. As well, the two nations recently have engaged in talks to improve relations, and a state-sponsored incident like this would be ill-timed.
DP World is no stranger to controversy. In the context of the war between Russia and Ukraine, DP World is considered a “sponsor of war” by the Ukrainian government, as they are one of the most notable logistics companies that did not cease business with Russia in light of the invasion. Alignment with Russia, or even the perception of it, has been the impetus for many organizations to sustain cyberattacks, though admittedly none known of this severity.
Conclusion
While the situation at the DP World Australia’s ports is still ongoing, it represents the latest example of the vulnerability of global supply chains to various types of disruptions that can be perpetrated through cybersecurity-related incidents. The lack of clarity regarding the identity and motives of the threat actors means that recommendations for response and mitigation are limited for the time being.
While the possibility of a China-based APT as the perpetrator aligns with the broader context of regional competition and recent cyber espionage activities, the absence of concrete evidence calls for caution against premature attributions. This incident also sheds light on the geopolitical dimensions of cyber warfare, where entities like DP World, which have significant international presence and political connections, can become focal points of cyber conflicts due to their strategic importance and affiliations.
