“We will provide further updates as they become available.”
DP World had not patched a vulnerability in one of its IT systems that Russian hackers were exploiting before it detected the intrusion last Friday, according to screenshots seen by The Australian Financial Review.
In response to the breach, the company shut down its systems, resulting in about 40 per cent of the country’s import and export capacity being crippled because trucks could not collect containers from DP World facilities. It has since restarted operations.
Cybersecurity Minister Clare O’Neil and the Australian Cyber Security Centre have warned businesses to urgently update Citrix systems that are being exploited on an industrial scale by the Russian cybercrime group LockBit and its affiliates.
Vaughan Shanks, the chief executive of Australian cybersecurity software company Cydarm, said LockBit had found a vulnerability in a system called Citrix Netscaler, which companies use to deploy applications online. LockBit, which makes ransomware that it then sells to other criminal groups, had then scoured the internet to fund unpatched systems.
“That’s what we’ve seen with Boeing, there was DP World and ICBC,” Dr Shanks said.
Dr Shanks said it was impossible to be certain the hack was caused by the Citrix vulnerability until confirmed by DP World or the government, but said it was the leading explanation.
Aerospace company Boeing and the Industrial and Commercial Bank of China, which is the largest lender in that country, were both recently hit with ransomware attacks from Lockbit affiliates using the Citrix issue.
A screenshot of a DP World’s Citrix system, which is widely used by large companies, shows it was online and unpatched in the days before the hack.
The image, taken by security researcher Kevin Beaumont, was posted on November 11 and dated November 6.
The most recent version of the threat that is being exploited by Lockbit was found in October. DP World’s NetScaler system is now offline, Mr Beaumont said.
The company declined to comment directly on the explanation for the hack, instead referring to previous remarks by its chief executive saying the company is continuing to investigate.
Ms O’Neil said on October 30, less than two weeks before the DP World incident, that businesses were not powerless to stop hacks.
“The vast majority of cyberattacks are completely preventable, if you take pretty straightforward steps,” she said. “Regular patching is one of them.”
Dr Shanks said the DP World situation had similarities with Optus’ outage last week in that both occurred at foreign-owned firms that control critical Australian infrastructure. “It raises questions about sovereignty,” he said.
DP World slowly reopened its terminals to trucks on Monday and has so far moved 8000 of the 30,000 containers that were stranded due to the shutdown.
However, its operations still face significant disruption due to ongoing stoppages and work bans by the Maritime Union of Australia.
MUA national assistant secretary Adrian Evans said so far wharfies had not been given an update by management about the cyberattack and its impacts.
“The workforce has been left completely in the dark and has been learning about the extent of the security breach and the company’s responses to it from the union and the media instead of directly from their own employer,” he said.