Cyber Incident Victim: Port of Melbourne Corporation
Date:
Nov 2023
Location:
Australia
Summary
A cybersecurity breach disrupted operations at a major Australian port operator managing terminals in Sydney, Melbourne, Brisbane, and Fremantle, prompting immediate closures and an ongoing Australian Federal Police investigation. The incident restricted landside access, halting truck movements and impacting the flow of goods nationally, though ship movements remained unaffected. The government activated its national crisis coordination framework to manage the disruption, expected to persist for several days, with technical assistance provided by the Australian Cyber Security Centre. An expert suggested the attackers likely sought ransom leverage by targeting critical infrastructure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 10, 2023, DP World Australia detected a cybersecurity incident affecting its container terminals in Sydney, Melbourne, Brisbane, and Fremantle, leading to the immediate closure of landside operations that same night. The Australian Federal Police initiated an investigation into the breach, while DP World restricted landside access to its Australian port facilities to contain the incident and protect employees, customers, and networks. The Australian government activated the National Coordination Mechanism (NCM) at approximately noon on November 11, invoking the crisis management framework previously used during the COVID-19 pandemic and other national emergencies. Home Affairs Minister Clare O’Neil confirmed the NCM’s activation to coordinate federal, state, and territory agencies alongside industry stakeholders. National Cyber Security Coordinator Air Marshal Darren Goldiem co-chaired the NCM meeting, warning that operational disruptions would likely persist for several days, impacting the movement of goods into and out of Australia. The Australian Signals Directorate’s Australian Cyber Security Centre provided technical advice and assistance to DP World, while the company conducted internal investigations to assess system and data impacts.
Fremantle Ports clarified that while DP World’s landside operations—specifically truck access to its laydown area—were disrupted, ship loading and unloading continued unaffected, with Patrick stevedoring operations at Fremantle remaining fully operational. DP World’s restrictions halted the flow of imports and exports via trucks at its terminals, though maritime activities proceeded normally across all locations. Nigel Phair, Director of the University of NSW Institute for Cyber Security, publicly speculated that the incident likely involved a ransom demand, suggesting recovery could take weeks if unpaid, though no official confirmation of ransomware or extortion attempts was provided by authorities or DP World. The NCM, established in 2018 and previously deployed during the Medibank data breach and natural disasters, scheduled a follow-up meeting for November 12 to continue coordinating the response. DP World maintained ongoing engagement with government agencies to evaluate port-specific operational impacts, with no public disclosure of attacker methodologies, data compromise, or restoration timelines beyond the initial multi-day disruption estimate.