Colonial Pipeline CEO Joseph Blount made no apologies for his decisions to abruptly halt fuel distribution for much of the East Coast and pay millions to a criminal gang in Russia as he faced down one of the most disruptive ransomware attacks in U.S. history.Blount said he had no choice, telling senators uneasy with his actions that he feared far worse consequences given the uncertainty the company was confronting as the attack unfolded last month. “I know how critical our pipeline is to the country,” Blount said, “and I put the interests of the country first.”
His testimony to the Senate Homeland Security Committee on the May 7 cyberattack provided a rare window into the dilemma faced by the private sector amid a storm of ransomware attacks in which overseas hackers breach a company’s network and encrypt their data, demanding a ransom to release it back to them.
Georgia-based Colonial Pipeline, which supplies roughly half the fuel consumed on the East Coast, temporarily shut down its operations on May 7 after a gang of criminal hackers known as DarkSide broke into its computer system. The Justice Department has recovered the majority of a multimillion-dollar ransom payment to hackers after a cyberattack that caused the operator of the nation’s largest fuel pipeline to halt its operations last month, officials said Monday.The operation to recover the cryptocurrency from the Russia-based hacker group is the first undertaken by a specialized ransomware task force created by the Biden administration Justice Department, and reflects what US officials say is an increasingly aggressive approach to deal with a ransomware threat that in the last month has targeted critical industries around the world.
“By going after an entire ecosystem that fuels ransomware and digital currency, we will continue to use all of our tools and all of our resources to increase the costs and the consequences of ransomware attacks and other cyber-enabled attacks,” Deputy Attorney General Lisa Monaco said Monday at a news conference announcing the operation.The 63.7 bitcoin ransom — a favored currency of hackers because of the perception that it is more difficult to trace — is currently valued at $2.3 million. “The extortionists will never see this money,” said Stephanie Hinds, the acting US attorney for the Northern District of California, where the seizure warrant was filed.
U.S. authorities tell companies not to pay the ransom, arguing the crooks may not provide the keys to unencrypt the data and that the payments will encourage future attacks and help sustain criminal networks typically based in Russia and Eastern Europe. Blount chose to disregard that advice within the first 24 hours of the attack and paid the equivalent of $4.4 million in bitcoin to retrieve the company’s data. U.S. officials said Monday they had recovered much of the payment.“I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible,” Blount said. “It was the hardest decision I’ve made in my 39 years in the energy industry.”
The company, he said, had to act fast as it worked feverishly to determine whether the criminal gang had compromised the operational systems or physical security of the 5,500-mile pipeline — and to try to avoid a more sustained shutdown.Asked how much worse it would have been if the company hadn’t paid to get its data back, Blount said, “That’s an unknown we probably don’t want to know. And it may be an unknown we probably don’t want to play out in a public forum.”His appearance before the Senate comes as lawmakers consider possible measures to address the ransomware attacks that have been launched against thousands of businesses as well as state and local government agencies.
“We’ve got to recognize these ransomware attacks for what they are. It’s a serious national security threat,” said Sen. Rob Portman, a Republican from Ohio. “Attacks against critical infrastructure are not just attacks on companies. They are attacks on our country itself.”Already, the Justice Department and FBI have established a task force to deal with ransomware with some success, including managing to seize 85% of the bitcoin that Colonial paid as ransom. But many of the criminals behind the attacks are beyond their reach in Russia or other countries that will not extradite suspects to the U.S.The Biden administration has also made ransomware, and cybersecurity more broadly, a national priority in the wake of a series of high-profile intrusions.
Last month, the administration issued new regulations for the pipeline industry, requiring companies to conduct cybersecurity assessments and immediately report any breaches to the federal government. The industry has until now operated under voluntary guidelines.Blount disputed a media report that his company had refused to participate in one of the voluntary assessments, conducted by the Transportation Security Administration, earlier this year, saying it had merely been delayed because of COVID-19 and other issues. “That was quite a shock to me,” he said of the account.
The attack on Colonial Pipeline — which supplies roughly 45% of the fuel consumed on the East Coast — has been attributed to a Russia-based gang of cybercriminals using the DarkSide ransomware variant, one of more than 100 variants the FBI is currently investigating. The attack began after hackers used a company virtual private network that was no longer in active use, Blount said.“The ransomware attack on Colonial Pipeline affected millions of Americans, ” said Sen. Gary Peters, a Michigan Democrat. “The next time an incident like this happens, unfortunately, it could be even worse.”
Blount said the Georgia-based company began negotiating with the hackers on the evening of the May 7 attack and paid a ransom of 75 bitcoin — then valued at roughly $4.4 million — the following day. The hack prompted the company to halt operations before the ransomware could spread to its operating systems.The encryption tool the hackers provided the company in exchange for the payment helped “to some degree” but was not perfect, with Colonial still in the process of fully restoring its systems while working with consultants to assess the damage and improve cybersecurity, Blount said.
It took the company five days to resume pipeline operations. What took place in that time illustrated why they needed to quickly pay the ransom, he told the lawmakers.“We already started to see pandemonium going on in the markets, people doing unsafe things like filling garbage bags full of gasoline or people fist-fighting in line at the fuel pump,” he said. “The concern would be what would happen if it had stretched on beyond that amount of time.”