Just days after a major ports company was forced to shut down operations due to a cyber-attack, the Australian Signals Directorate has issued a strong warning that Australia’s critical infrastructure is under regular targeted and opportunistic cyber attack.
DP World Australia, the country’s biggest ports operator, closed its Sydney, Melbourne, Brisbane and Fremantle port operations after detecting unauthorised access on its network on Friday.
The company shut off its internet connection to stop the unauthorised access, meaning operations at those ports had to stop. Cargo and containers were stuck on the docks until Monday, when DP World was able to restore shipping operations.
In its annual cyber threat report released on Wednesday, ASD revealed that in the last financial year the agency responded to 143 incidents at critical infrastructure entities such as ports, up from 95 incidents in the previous year.
The vast majority of the reports related to low-level attacks or isolated issues, such as compromised accounts or credentials.
ASD said critical infrastructure tends to have a broad attack surface, remote access, connected systems and third parties, which make it of interest to malicious actors.
“Even when [operational technology] is not directly targeted, attacks on connected corporate networks can disrupt the operation of critical infrastructure providers.”
Infrastructure entities are targeted by both opportunistic cyber criminals and state actors, ASD said. And some state actors “are willing to use cyber capabilities to destabilise and disrupt systems and infrastructure”.
ASD said such critical entities should err on the side of caution and report anomalous activity early.
Air Marshall Darren Goldie, Australia’s cybersecurity coordinator, told Guardian Australia on Monday that in DP World’s case the quick return of operations showed the company had “a solid security plan in place”.
“I’ve seen a highly effective response from the company – quick engagement of a commercial service provider and frequent and very transparent engagement with the commonwealth.”
He said the company had not received a ransom demand after detecting the activity, and there has been no determination as to who might have been behind the attack.
“We’re seeing ransomware actors going wherever they can find trade, and by definition our ports move a lot of material. There’s a lot of money involved with the movement of cargo, so to them it would be seen as rich pickings.
“I have absolutely no information on that at all but I would say the criminal groups are moving from sector to sector to wherever they can find a vulnerability and are not being discriminate.”
Goldie was involved in a 16-week government response to the ransomware attack on the lawfirm HWL Ebsworth, which resulted in terabytes of client documents – including from 65 government agencies – being posted on the dark web. He is preparing a short public report on the attack to be published by the end of this year.
Overall in the last financial year, ASD responded to 1,100 cybersecurity incidents, 10% of which were ransomware attacks. The agency informed 158 entities of ransomware activity on their networks.