Widely Exploited Vulnerability Likely Cause of DP World Australia’s Attack

DP World Australia container terminal
DP World suspended operations for a weekend in what is now thought to be part of an accelerating attack on Citrix software (file photo)

Published Nov 21, 2023 5:58 PM by The Maritime Executive


A broadly known cyber vulnerability that was publicly reported in mid-October is now being identified as the likely cause of the attack on the computer network of DP Australia servicing four terminals and 40 percent of cargo activity in the country. The company resumed operations after having suspended operations over a weekend while saying that it was continuing to investigate the outage, but the Maritime Union of Australia is now seeking to leverage the outage in its current labor dispute with the company.

The union issued a statement yesterday, November 20, identifying a vulnerability in Citrix software as the likely culprit in the outage. DP World Australia reported the cyberattack on November 10 and resumed operations on November 13. Cyber experts said the company had taken the right steps quickly shutting down its network access to the Internet to stop the attack and regain security on its systems. The company has repeatedly said it did not receive a ransom demand.

Citrix a month early on October 10 publicly acknowledged what has now become known in the cyber community as the “Citrix Bleed bug.” The company at the time said a patch was being made available and that it was not aware of anyone exploiting the vulnerability. However, Bloomberg reported that cyber security firms have traced the first attacks using this flaw back to August while citing reports that hackers “have accelerated their exploitation of the bug.”

The U.S.’s Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and Australia’s security center today, November 21, issued a Cybersecurity Advisory warning that malicious actors are using the vulnerability to harvest credentials and access data and resources. They warned that the notorious Russian hacker group LockBit 3.0 is now thought to be exploiting the vulnerability. The security agencies are urging companies to use the patches and to take steps to address the issue.

Australia’s Maritime Union is using the recent incident as part of the ongoing dispute over pay and work conditions. The union has also implemented work bans and is using rolling 24-hour work stoppages at the ports while it remains deadlocked in contract negotiations. Shippers and carriers however report the actions are creating significant delays and backlogs at Australia’s main ports.

The union is now calling for Australia’s Minister for Home Affairs, Claire O’Neill, to launch a government investigation into the cyberattack. The NMU is asserting that the incident was “completely avoidable,” asserting that the company never applied the patches made available by Citrix. CISA reports that many organizations are still in the process of applying the patches warning that companies should isolate the vulnerable Citrix programs until they have applied necessary software updates.

In its statement, the union also complains that employees have not been briefed on the extent of the attack and if any of their personal information was exposed. DP World Australia has previously said it believed some data was accessed and that it was continuing to investigate the scope of the breach.