A pipeline company CEO on Tuesday defended his decisions to abruptly halt fuel distribution for much of the East Coast and pay millions to a criminal gang in Russia as he faced down one of the most disruptive ransomware attacks in U.S. history.
Colonial Pipeline CEO Joseph Blount said he had no choice, telling senators uneasy with his actions that he feared far worse consequences given the uncertainty the company was confronting as the attack unfolded last month.
“I know how critical our pipeline is to the country,” Blount said, “and I put the interests of the country first.”
His testimony to the Senate Homeland Security Committee on the May 7 cyberattack provided a rare window into the dilemma faced by the private sector amid a storm of ransomware attacks in which overseas hackers breach a company’s network and encrypt their data, demanding a ransom to release it back to them.
U.S. authorities tell companies not to pay the ransom, arguing the crooks may not provide the keys to unencrypt the data and that the payments will encourage future attacks and help sustain criminal networks typically based in Russia and Eastern Europe. Blount chose to disregard that advice within the first 24 hours of the attack and paid the equivalent of $4.4 million in bitcoin to retrieve the company’s data. U.S. officials said Monday they had recovered much of the payment.
“I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible,” Blount said. “It was the hardest decision I’ve made in my 39 years in the energy industry.”
The company, he said, was “deeply sorry” for the effect of the shutdown but had to act fast as it worked feverishly to determine whether the criminal gang had compromised the operational systems or physical security of the 5,500-mile pipeline — and to try to avoid a more sustained shutdown.
Asked how much worse it would have been if the company hadn’t paid to get its data back, Blount said, “That’s an unknown we probably don’t want to know. And it may be an unknown we probably don’t want to play out in a public forum.”
His appearance before the Senate comes as lawmakers consider possible measures to address the ransomware attacks that have been launched against thousands of businesses as well as state and local government agencies.
“We’ve got to recognize these ransomware attacks for what they are. It’s a serious national security threat,” said Sen. Rob Portman, a Republican from Ohio. “Attacks against critical infrastructure are not just attacks on companies. They are attacks on our country itself.”
Already, the Justice Department and FBI have established a task force to deal with ransomware with some success, including managing to seize 85% of the bitcoin that Colonial paid as ransom. But many of the criminals behind the attacks are beyond their reach in Russia or other countries that will not extradite suspects to the U.S.
The Biden administration has also made ransomware, and cybersecurity more broadly, a national priority in the wake of a series of high-profile intrusions.
Last month, the administration issued new regulations for the pipeline industry, requiring companies to conduct cybersecurity assessments and immediately report any breaches to the federal government. The industry has until now operated under voluntary guidelines.
Blount disputed a media report that his company had refused to participate in one of the voluntary assessments, conducted by the Transportation Security Administration, earlier this year, saying it had merely been delayed because of COVID-19 and other issues. “That was quite a shock to me,” he said of the account.
The attack on Colonial Pipeline — which supplies roughly 45% of the fuel consumed on the East Coast — has been attributed to a Russia-based gang of cybercriminals using the DarkSide ransomware variant, one of more than 100 variants the FBI is currently investigating.
It began after hackers accessed the company’s IT system through a virtual private network that was no longer in active use. Blount said it only required a “complicated” password to gain entry rather than multi-factor authentication, which provides additional security and is now required at Colonial.
“The ransomware attack on Colonial Pipeline affected millions of Americans, ” said Sen. Gary Peters, a Michigan Democrat. “The next time an incident like this happens, unfortunately, it could be even worse.”
Blount said the Georgia-based company began negotiating with the hackers on the evening of the May 7 attack and paid a ransom of 75 bitcoin — then valued at roughly $4.4 million — the following day. The hack prompted the company to halt operations before the ransomware could spread to its operating systems.
The encryption tool the hackers provided the company in exchange for the payment helped “to some degree” but was not perfect, with Colonial still in the process of fully restoring its systems while working with consultants to assess the damage and improve cybersecurity, Blount said.
It took the company five days to resume pipeline operations. What took place in that time illustrated why they needed to quickly pay the ransom, he told the lawmakers.
“We already started to see pandemonium going on in the markets, people doing unsafe things like filling garbage bags full of gasoline or people fist-fighting in line at the fuel pump,” he said. “The concern would be what would happen if it had stretched on beyond that amount of time.”