Colonial Pipeline paid a $ 5 million ransom the day after the cyber assault, the CEO tells the Senate Senate
Joseph Blount, JR., President and Chief Executive Officer of Colonial Pipeline is sworn in while attending a hearing to investigate threats to critical infrastructure.
Andrew Caballero-Reynolds | Reuters
WASHINGTON – Colonial Pipeline's CEO told a Senate committee Tuesday that the company paid the $ 5 million ransom and crippled fuel shipments along the east coast one day after cybercriminals from Russia hacked its IT network.
Joseph Blount Jr. made prepared remarks to members of the Senate Homeland Security and Government Affairs Committee that the company learned of the attack shortly before 5:00 a.m. on May 7 when an employee discovered a ransom note on a system on the IT network.
The note states that hackers "exfiltrated" material from the company's shared internal drive and charged approximately $ 5 million in exchange for the files.
The company was attacked by a ransomware program developed by DarkSide, a group of cyber criminals believed to be operating out of Russia.
Blount said that shortly after the ransom note was discovered, the employee notified a manager and a decision was made to close the entire pipeline immediately.
“At around 5:55 am, employees began shutting down,” wrote Blount. "At 6:10 am, they confirmed that all 5,500 miles of pipelines had been shut down."
The decision to close the entire pipeline was driven by "the need to isolate and contain the attack to ensure the malware does not spread to the Operational Technology network that controls our pipeline operations, if it isn't already happened. "
The shutdown caused significant disruption to gas delivery along the east coast as trucks struggled to refill gas stations and long lines at gas pumps, especially in the southeast. Flight operations were also interrupted.
Blount's testimony revealed how quickly the company decided to shut down and provided new details on the first few days after the attack.
The company believes attackers "exploited an older virtual private network profile that shouldn't be used," Blount told Senators.
However, he admitted that the account was not protected by the multifactor authentication that is currently the company standard in most operations. However, Blount said the password was complicated. "It was not a 'Colonial 123' password."
Blount also testified about the roughly $ 5 million ransom that the company paid to the DarkSide hackers. He revealed that Colonial Pipeline paid the ransom the day after the attack.
"I decided that Colonial Pipeline would pay the ransom to give us every tool we need to get the pipeline up and running quickly," said Blount in his opening address. "It was one of the toughest decisions I had to make in my life."
"I was keeping this information very well at the time because we were concerned about operational security and minimizing the public sphere for the threat actor," he said.
When asked if the company paid ransom under US sanctions, Blount said the company reviewed the sanctions list maintained by the Office of Foreign Asset Control before paying.
The day before Blount's testimony, US law enforcement officials announced they had recovered $ 2.3 million worth of bitcoins from the hacking group.
Blount also told the senators that the company contacted the FBI within hours of discovering the attack.
This story will be updated during the Senate hearing.