Major disruption to Australian port network following cyberattack

What we know

On Friday 10 November, global logistics giant DP World were forced to ‘pull the plug’ on Internet access across its four main Australian ports - Sydney, Melbourne, Brisbane and Fremantle - after unauthorised access was detected on its network.

The incident, which rendered critical operational technology (OT) systems inoperable, halted port operations for several days and led to an initial 30,000 container backlog across the country.

The Australian government and National Cyber Security Centre (ACSC) have supported the organisation in coordinating both its operational and technical response to minimise disruption to national supply chains, with the ports handling ~40% of Australia’s imports and exports.

Why it matters

DP World has been praised for its swift response to the incident and for isolating its operations network in Australia, with the aim of interrupting the attackers kill chain and minimising their ability to move laterally across DP World’s global logistics network.

However, security experts believe that attackers may have gained access to DP World’s systems and exfiltrated data by exploiting an unpatched vulnerability in Citrix’s NetScaler hardware platform. The CitrixBleed exploit, classified as ‘critical’ by the ACSC, has been linked to several recent high-profile data breaches since its discovery in July.

Following the release of a patch by Citrix on 10 October, investigative work will now be underway to ascertain both the scale of the breach and the length of time attackers may have had access to the network for reconnaissance purposes.

Such an incident is yet another timely reminder for organisations to stay abreast of latest threat intelligence and ensure that critical vulnerabilities are appropriately managed and patched.