DP World, who manages 40% of the maritime freight in Australia, reported that the company had suspended operation in its port terminals at Sydney, Melbourne, Brisbane, and Fremantle due to a cybersecurity incident. The company responded to the cyber threat by restricting access to its computer systems, practically disconnecting them from the net, leading to operational halt with reports of 30,000 shipping containers being stranded. Due to the extent of impact on the movement of goods to and from Australia, it is being handled as a nationally significant, according to the Australian Cyber Security Coordinator, that also tweeted that operation suspension is likely to remain for a few days:
News agencies also mentioned that while ships can still unload freight at DP World terminals, the freight cannot leave the port site, and the ships are not allowed to leave the port.
Analysis and what does the incident mean for you
Important background facts:
-
Officials say that the system disconnection was only limited to DP World terminals, while other ports and terminals remain fully operational.
-
Ships can unload freight at the affected DP World terminals, but the freight cannot leave the port.
-
It seems that DP World is using SysAid software. Why is this important? DP World is an Emirati multinational logistics company based in Dubai, United Arab Emirates. In March 2023, CL0P – one of the most active ransomware attack groups – listed DP World as their victim, apparently in connection with their Emirati office. Experts say this attack was carried out by exploiting the recently discovered MOVEit vulnerabilities. MOVEit Transfer is a widely used file transfer utility. Recently, Microsoft reported CL0P is suspected to have used a newly found (October 30) SysAid (IT help desk) server vulnerability to infiltrate companies’ networks.
-
It is unclear whether the attack is ransomware or not. There are reports that the company has not yet received a ransomware demand, and while ransomware groups usually list their victims, CLOP did not (yet?) publish DP World as such.
Conclusions and recommendations
-
While the DP World incident in Australia can potentially result in significant damage, it seems isolated to DP World systems.
-
The affected systems seems to be on the enterprise side of the operation and not the ship-terminal side (the Stevedore cannot share data with the trucks that transport the containers). This is also in line with the suspicion of a SysAid exploit.
-
We strongly recommend every shipping company and port take the following precautions:
-
If you’re connected to DP World systems, consult an expert regarding a mitigation action or precautionary measure.
-
If you’re using MOVEit Transfer – immediately patch it to the latest version.
-
If you’re using SysAid – stop its operation and contact SysAid for the latest instructions.
-
Update your router and firewall firmware – there have been recent reports of active exploits of many popular routers and firewalls, including CISCO and Fortinet.
If you have any questions or concerns about this incident, Cydome maritime cyber experts will be happy to assist Cybersecurity Analytics Solutions
** Update from Nov. 13: DP World announced that they have resumed operation, though it does not mean that the incident has concluded and “ongoing remediation work is likely to continue for some time”.
** Update from Nov. 19: reports surface that the attack vector had been using the “CitrixBleed” vulnerability in Citrix Nescaler products. This vulnerability was patched by Citrix on October 10 release but experts suspect that not all devices connected to the DP World network were patched. The same vulnerability is seen in several recent significant breaches, although there is still no evidence of a ransom request or payment involved in the DP World incident. In light of this information, we continue to urge IT managers to patch their routers, firewalls, gateways, virtual platforms etc. to the latest versions that fix many “zero day” vulnerabilities discovered recently.
