The Australian subsidiary of logistics giant DP World was hit with a major cyber attack that impacted freight movement at several ports, disrupting the flow of goods in Australia and potentially beyond. Following the DP World incident, Cybersixgill detected multiple advertisements for DP World credentials on a popular cybercrime marketplace.
THE HEADLINE
On November 12, 2023, major port operator DP World[1] announced that a “cybersecurity incident” caused disruptions in “terminal operations,” which affected| the flow of freight at ports operated by its subsidiary DP World Australia. The company’s official announcement alluded to major repercussions, including the need to “reestablish landside freight operations at its ports” and “retrieve sensitive inbound freight.” DP World also claimed it had not received a ransom demand, but explicitly referenced the company’s cyber insurance,[2] which businesses of all sizes purchase to cover data breaches, cyber attacks, and ransomware incidents, among other threats.
According to news reports, the DP World Australia attack trapped shipments of consumer goods, electronics, and clothing at ports throughout Australia. The company was reportedly forced to shut down systems on the morning of November 12, 2023, which prevented around 30,000 containers from transport. A DP World executive commented to the Australian press that putting a financial value on the goods was difficult because containers could be carrying a variety of items, from “blood plasma that’s worth a million dollars” to “used clothing for export worth $800.”
The attack apparently affected the DP World Australia systems used by trucks to share data with terminals, which prevented vehicles from entering terminals to pick up or deposit containers. This caused a logjam of containers on docks over the weekend, exhausting the vast majority (~90%) of DP World Australia’s storage space. The aforementioned DP World executive cautioned that there could be a “snowball effect” from attack-related delays, which appeared to be a reference to supply chain[3] interruptions.
When supply chain attacks affect logistics and transportation companies, their impact can ripple through multiple industries, geographic locations, and economies. This threat has become more dire in recent years due to digital interconnectivity, which has improved efficiency, but enlarged the attack surface for the freight/logistics industry. Organizations in this industry, such as DP World, remain attractive targets for cybercriminals due to the large volume of data and goods they process.
As a result, these companies are targeted by ransomware attacks, data theft/leakage, initial access brokers, and phishing campaigns. Third-party vendors serving this industry also increase the risk of attack, since a significant portion of these entities have been observed lacking proper security hygiene.
By way of example, satellite telecommunications and logistics giant ORBCOMM[4] was hit with a ransomware attack in September 2023, causing service outages that prevented major trucking companies from managing their fleets. During the ORBCOMM outages, customers were unable to use the company’s products to track inventory enroute to partners. Concurrently, truck drivers reported that they were unable to use ORBCOMM’s Blue Tree[5] logging devices, which track drivers’ hours in compliance with federal safety regulations.
DIVING DEEPER
While investigating the attack on DP World Australia, Cybersixgill observed advertisements on the underground for credentials, which appeared to correspond to multiple portals belonging to the company. These credentials were advertised by threat actors on a popular black market site. where a highly active user advertised multiple logs for a DP World portal.
Additional research indicated that the platform to which the credentials belonged was potentially used to manage IT assets and may have stored sensitive data that could be used for further malicious activities. Similarly alarming was the volume of DP World-related credentials observed for sale on the market during the past year. Indeed, Cybersixgill observed over 90 posts on one site advertising DP World credentials, with some posts including multiple portals related to the company.
According to these advertisements, the DP World credentials were initially harvested using a popular information stealer written in the C programming language. The stealer is advertised on Russian-language cybercrime forums and licensed using the Malware-as-a-Service[6] (MaaS) model. This means that a DP World-related machine was likely compromised and its systems were infected with this stealer malware at some point. Once threat actors gain unauthorized access, they may be able to steal customer data, which could potentially be used for extortion or resold to other threat actors. As such, protecting login credentials is critical to prevent unauthorized access and cyber attacks.
In addition to DP World Australia credentials, Cybersixgill also observed a recent cyber attack affecting another Australia-based logistics industry victim. The screenshot below is from the dedicated leak site[7] (DLS) of a ransomware operation claiming it stole financial documents (invoices, receipts, etc.), accounting documents, personal data, employment contracts, and a “huge amount” of unspecified “confidential information” from the victim. The leak of the data suggests the ransomware group was unsuccessful in its attempts to extract a payment from the victim. The type of data that the attacker claimed it stole is valuable for identity theft, financial fraud, and other forms of cybercrime.
Figure 1: A DLS post related to an attack on an Australian logistics company
TAKEAWAYS
The recent attacks on DP World Australia and ORBCOMM, among other transportation/logistics industry victims, demonstrate the ultimate danger of cyber incidents in this sector. In the case of DP World Australia, the attack stranded containers and disrupted the flow of freight, causing outages that likely resulted in supply chain interruptions. In light of the dangers associated with such attacks, all organizations should implement the following security measures and practices to avoid being the target of a data breach:
· Enable multi-factor authentication (MFA) processes to add another layer of security, making it more difficult for cybercriminals to access corporate devices and accounts.
· Create data copies and backups on external servers that are isolated from the business network, and build a dedicated incident response team to work closely with staff and quickly mitigate emerging risks
· Evaluate the risks of all third-party vendors, contractors and partners that manage data; and
· Monitor assets on the Cybersixgill Investigative Portal for a more proactive detection approach.
[1] Dubai-based DP World operates and manages numerous container terminals and ports around the world, including terminals in Sydney, Melbourne, Brisbane and Perth, which handle around 40% of the goods coming in and out of Australia.
[2] This type of insurance safeguards businesses against financial losses from cyber incidents, such as data breaches, cyber extortion, and other business interruptions. Policies often provide liability protection, reputation management, and regulatory compliance.
[3] Last year, for example, Japan-based auto manufacturer Toyota was forced to interrupt production at 14 of its facilities after one of its primary suppliers suffered a major IT failure.
[4] ORBCOMM provides satellite and cellular-based communication services to remotely track, monitor, and manage assets, vehicles, and equipment for the ORBCOMM’s products are used in multiple industries and sectors, including transportation, government, natural resources, supply chain logistics, and warehousing/inventory.
[5] Blue Tree is an ORBCOMM subsidiary that provides transportation management solutions for trucks and trailers in North America, the European Union, United Kingdom, Australia, and New Zealand.
[6] Malware-as-a-service (MaaS) offers malware for sale or rent to cybercriminals of all skill levels, who then use it to launch attacks on targeted systems.
[7] A dedicated leak site (DLS) is a website on which threat actors publish stolen data during ransomware attacks when victims do not pay. This strategy is part of the double extortion technique implemented by cyber criminals to maximize the odds of receiving payment from the victims.