DOCUMENTING HYBRID WARFARE / — incidents / UPDATED LATEST: 
Sabotage Watch SABOTAGEWATCHHybrid Threat Monitor
Cyber

DP World Australia cyber incident halts port operations

10 November 2023 · Australia
Satellite Imagery © Esri

What happened

On 10 November 2023 the technology team at DP World Australia, the country's largest container terminal operator, detected unauthorised access to its Australian corporate network. To contain the breach the company disconnected its network from the internet, a step that halted land-side operations at its terminals in Sydney, Melbourne, Brisbane and Fremantle. According to DP World Australia, those terminals handle roughly 40 percent of the goods moving in and out of the country, so the shutdown rippled quickly through national supply chains.

Ships could still be unloaded, but the IT outage meant trucks could not collect or deliver containers, stranding cargo on the docks. By DP World Australia's own account, the stoppage backed up about 30,000 containers across the four ports. Australia's National Cyber Security Coordinator, Darren Goldie, described it on social media as a nationally significant cyber incident and co-chaired a national coordination meeting, while noting that DP World could still access sensitive freight, for example in a medical emergency.

DP World Australia recommenced port operations on 13 November 2023, around three days after the systems were taken offline, and said it had cleared the full backlog of 30,137 containers by 20 November 2023. The company later confirmed that no ransomware was found or deployed on its network, that customer data was not affected, but that a small amount of data, including personal information of current and former employees, had been exfiltrated.

Assessment

This was a disruptive intrusion against critical port infrastructure that exposed how a single operator's IT outage can stall a large share of national freight. Attribution was never publicly established. DP World Australia stated it found no ransomware and received no ransom demand, so early framing of the event as a ransomware attack appears unsupported; the actor and motive remain unknown. The pattern, unauthorised access followed by limited data theft, is consistent with criminally motivated activity, but no state attribution was established and any such inference would be speculation.

This dossier summarises open-source reporting and is updated as the investigation develops. Read the original report via the source link.