Colonial Pipeline Company’s president and CEO announced the company is in the midst of an ongoing review of last month’s ransomware attack and relayed the timeline of events that led to the company paying a ransom and its communication with law enforcement in a Congressional hearing today.
Joseph Blount told the Senate Committee on Homeland Security and Governmental Affairs one of his first calls after discovering the attack was to the FBI, who said it would set up a call for later in the day with the company and Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
Blount also explained the rationale behind paying a reported $4.4 million in ransom the day after discovering the attack. Earlier this week the Department of Justice (DoJ) announced it had recovered a portion of that ransom from a cryptocurrency wallet linked to ransomware group Darkside.
“Our engagement with those Federal authorities helped us achieve meaningful milestones in our response process to address the attack and restore pipeline operations as quickly as possible,” Blount said in prepared testimony. “In particular, we are appreciative for the cooperative way that Federal agencies worked with us. Their focused collaboration made it easier to restart the pipelines and improved the speed with which we could transport fuels to their destinations.”
Blount noted that in addition to CISA and the FBI, Colonial Pipeline also put out calls to the Department of Energy (DOE) and the Federal Energy Regulatory Council (FERC). Blount credits this collaboration with the government from the beginning as one of the reasons DoJ was able to recover 63.7 of the 75 Bitcoins Colonial paid in ransom. Worth over $4 million at the time of ransom, the recovered bitcoins value at around $2.3 million due to market fluctuation.
The ransomware attack caused Colonial Pipeline, which Blount estimates supplies around 45 percent of all gasoline along the east coast or approximately 100 million gallons of fuel a day, to shut down operations immediately. It is Colonial Pipeline’s role as a critical supplier of gasoline on the coast that led Blount to make the call to both shutdown operations and pay the ransom May 8, a day after the attack was discovered. That shut down led to a panic buying of gasoline along the coast and a subsequent gas shortage.
Blount noted the forensic investigation into what happened is still ongoing, but it appears the attackers were able to exploit a virtual private network (VPN) profile that was not supposed to be in use to gain entry into the system. Blount also expressed support for the new Transportation Security Administration (TSA) directive requiring critical pipeline owners and operators to disclose cyberattacks and have a cybersecurity coordinator.
“We are further hardening our cyber defenses,” Blount said. “We have rebuilt and restored our critical IT systems, and are continuing to enhance our safeguards, but we are not where I want us to be. If our CIO needs resources, she will get them. We have also brought in several of the world’s leading experts to help us fully understand what happened and how we can continue in partnership with you to add defenses and resiliency to our networks.”