Colonial Pipeline CEO Joseph Blount said he authorized a ransom payment of $4.4 million in response to a cyberattack on the company’s network earlier this month, according to The Wall Street Journal, which published an interview with the CEO Wednesday.
This is the first public announcement by the company that a ransom had been paid and comes after repeated refusals from the company to discuss the payment, which Blount called “a highly controversial decision.”
“It was the right thing to do for the country,” he told The Wall Street Journal. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.”
CNN reported last week that Colonial Pipeline paid the ransomware group that carried out a crippling cyberattack, two sources familiar with the matter said. The ransomware attack spurred the company to shutdown pipeline operations, causing massive gasoline disruptions in the southeast US.
Colonial employees did not have any direct contact with the threat actor, according to a Colonial spokesperson. It’s unclear who negotiated the payment.
Colonial Pipeline briefed congressional staff on Monday, offering new insight into the timeline of the ransomware attack, but also frustrating lawmakers and staff over the company’s refusal to discuss the ransom and related details.
Democratic Reps. Carolyn Maloney of New York, the chairwoman of the House Oversight and Reform Committee, and Bennie Thompson of Mississippi, the chairman of the Homeland Security Committee, said they were “disappointed that the company refused to share any specific information regarding the reported payment of ransom during today’s briefing.”
“In order for Congress to legislate effectively on ransomware, we need this information,” they added in a statement.
A representative for Colonial told congressional staff that special attention to the ransom would encourage future attacks and therefore did not want to discuss the topic, according to a Hill aide.
The Colonial briefing, which was led by company CIO Marie Mouchet, came a little more than a week after the company first learned of the ransomware attack on May 7, the aide said.
Colonial found out about the cyberattack around 5:30 a.m., prompting a call to FireEye Mandiant, the company hired for the incident response to the hack, according to the aide, followed by a call to the FBI.
The spokesperson for Colonial confirmed that the company discovered the breach on the morning of May 7.
The Cybersecurity and Infrastructure Security Agency received information from Colonial Pipeline shortly after the incident occurred, an agency spokesperson said Wednesday. Subsequent updates were provided principally through the Department of Energy, according to the CISA spokesperson.
Last week, the US government obtained “indicators of compromise” associated with the Colonial Pipeline incident and shared them broadly with critical infrastructure partners and others in the industry, according to the CISA spokesperson.
CISA is working with other federal agencies to continues to identify the appropriate time to release a public version of the information, according to the spokesperson.
Speculation regarding the root cause of the incident is premature, according to the Colonial spokesperson.
Energy Secretary Jennifer Granholm said Wednesday that “there’s no doubt” that the energy sector, like other critical sectors, “needs to continue to do better at defending itself against cyber threats.”
The federal government is taking several steps – such as President Joe Biden’s recent executive order requiring new standards on software used by the government – to try to protect the sprawling energy sector, which is operated by private, not-for-profit, and state and local entities, Granholm said, pointing out that are over 3,000 electricity companies and thousands of others in the oil and natural gas sector.
After the hack, Colonial disconnected laptops “out of an abundance of caution and to contain the threat,” the Colonial spokesperson said, adding that the Office 365 cloud environment was not impacted and remained online.
Employees could still do work within the cloud, according to the Hill aide, and were able to communicate on iPhones and iPads.
Colonial told the Hill that the initial decision to shut off the pipeline was a risk-based decision for the company, the aide said.
“In response to this incident, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems,” the Colonial spokesperson said in a statement Monday. “Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have launched an investigation into the nature and scope of this incident, which is ongoing.”
The FBI previously confirmed that DarkSide ransomware was responsible for the compromise of the Colonial Pipeline networks.
DarkSide operates under a “ransomware-as-a-service” structure, in which developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.”
CNN previously reported that US officials were looking for any possible holes in the hackers’ operational or personal security and monitoring for any leads that might emerge out of the way they move their money.
The “affiliate” in this case was likely Russian, sources familiar with the investigation previously told CNN. One of the sources said the affiliate could be a single individual.
Biden said last week that there is “strong reason to believe” that the criminals who carried out the cyberattack are living in Russia.
As federal cyber investigators continue their probe into the hackers who breached Colonial Pipeline’s defenses, Justice Department and FBI leaders are publicly discussing possible legislation that would make it mandatory for certain private entities to report computer intrusions to the government.
In a presentation on Tuesday at the 2021 RSA Security Conference, Deputy Assistant Attorney General Adam Hickey and FBI Deputy Assistant Director Tonya Ugoretz touted the benefits of such a mandatory reporting requirement, although they stopped short of expressly calling for such a bill, noting the Biden administration has not yet publicly weighed in on the issue.
Hickey and Ugoretz explained that a mandatory reporting law would allow federal investigators to more rapidly work to identify threat actors, and also notify other potential victims around the country that their systems could also be vulnerable.
While victim companies like SolarWinds have come forward to notify federal law enforcement of cyber attacks, Ugoretz noted, “We can’t count on that happening in all cases. And so, I think that really has highlighted for many the need for this type of national data breach reporting.”
Ugoretz said possible mandatory reporting legislation could be narrowly focused on key industries. “What we’re most concerned about from the federal perspective are incidents where there’s a national security or public safety concern.”
Hickey highlighted two different solutions being discussed in cybersecurity circles, which could help identify threats and limit their impact. One idea is to empower the US intelligence community to “monitor” private cyber networks for nefarious activity by hackers. But Hickey said a mandatory reporting law could serve as an alternative to snooping by intelligence agencies, and leave private industries to scan their own systems and report intrusions to law enforcement.
“If you don’t like warrantless surveillance,” Hickey said, “I’ve got a bill you might like.”
Granholm appeared open to legislation that would require minimum standards for critical energy infrastructure companies.
“I think we are inadequate on it,” she said when pressed on minimum standards during a House Committee on Energy and Commerce hearing Wednesday.
She said the Colonial Pipeline incident was “potentially” an example of that inadequacy but wasn’t “100% sure” it would have helped in this case.
“But I do know that having good cyber hygiene on the private side, as well as on the public side, is a critical basic defense. And for entities that provide service to the public like that, especially critical services like energy, I think it’s an important consideration for this committee, for sure,” she said.
This story has been updated with additional reporting Wednesday.
CNN’s Josh Campbell, Zachary Cohen, Evan Perez and Natasha Bertrand contributed to this story.