Australia’s biggest ports operator is slowly coming back online after a cyber attack halted its operations across multiple states over the weekend.

DP World Australia, which operates almost 40 per cent of goods flowing in and out of Australia, first detected the cyber incident on Friday after discovering unauthorised access in its systems.

To stop any ongoing unauthorised access to its network, the company made the decision to disconnect its systems from the internet.

While this did address the immediate threat, it also had a double-edged effect of hampering some key systems which are essential to operations in multiple Australian ports.

As the company performed remedial actions to address the attack, its Sydney, Melbourne and Brisbane port operations were closed, leaving cargo idle on the docks from Friday to 9AM Monday morning.

On Sunday, DP World said it was testing key systems which are crucial for the resumption of regular freight movement – after those tests succeeded overnight, the company was able to finally resume operations at ports across Australia.    

“The company expects that approximately 5,000 containers will move out of the four Australian terminals today,” said DP World in a statement.

“The ongoing investigation and response to protect networks and systems may cause some necessary, temporary disruptions to their services in the coming days.

“Importantly, the resumption of port operations does not mean that this incident has concluded.

“DP World Australia’s investigations and ongoing remediation work are likely to continue for some time.”         

Government steps in

The Australian government has been helping to coordinate a response to the incident, working closely with the company to resume operations in a timely manner and avoid potential supply shortages in the lead-up to the holiday season.

As part of its response, Minister for Cyber Security Clare O’Neil said the government has activated the National Coordination Mechanism (NCM) – a national crisis management framework which was used during the COVID-19 pandemic and as part of the response to the landmark 2022 data breach at health insurer Medibank.

The NCM – which brings together representatives of both government and non-government organisations to coordinate, communicate and collaborate during responses to crises – is being used to address the situation alongside backing from The Australian Signals Directorate's Australian Cyber Security Centre (ACSC), which is providing further technical advice and assistance.

National Cyber Security Coordinator Darren Goldie, who co-chaired the initial National Coordination Mechanism meeting on Saturday, said although port operations have now resumed, the incident is not concluded.

Who did this?                              

DP World said it has not received any form of ransom threat or communication from the criminal(s) behind the incident.

The Australian Federal Police has launched an investigation into the attack, although Goldie emphasised the current priorities are incident-resolution and restoring operations.

“While I understand there is interest in determining who may be responsible for the cyber incident, our primary focus at this time remains on resolving the incident and supporting DP World to restore their operations,” said Goldie.

O’Neil described the incident as “serious” and said managing cyber incidents of its kind is “incredibly complex”.

“This incident is a reminder of the serious risk that cyber attacks pose to our country, and to vital infrastructure we all rely on,” said O’Neil.

DP World Australia said a key line of inquiry in its ongoing investigations is “the nature of data access and data theft”, as it works to assess whether any personal information has been impacted.

The company has engaged the Office of the Australian Information Commissioner (OAIC).