Colonial Pipeline CEO tells Senate decision to pay hackers was made quickly

The company paid $4.4 million the day after the hack was discovered.

Andrew Morse Former executive editor
Andrew Morse is a veteran reporter and editor. Before joining CNET, he worked at The Wall Street Journal, Reuters and Bloomberg, among other publications.
Andrew Morse
5 min read
Fuel tanks are seen at Colonial Pipeline Baltimore Delivery in Baltimore

Colonial Pipeline was the target of a ransomware attack that forced it to shut down operations.

Jim Watson/Getty Images

Colonial Pipeline CEO Joseph Blount said Tuesday that his company paid hackers a $4.4 million ransom a day after discovering malware on its systems in early May. The company also hired outside consultants to handle negotiations with the hackers, who were paid in the bitcoin cryptocurrency.

Blount, who was testifying before the Senate Committee on Homeland Security and Governmental Affairs, said the decision to pay the ransom on May 8 was made by the company itself. Federal authorities, however, were notified of the hack within hours of its discovery. 

"I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible," Blount said. "I kept the information closely held because we were concerned about operational safety and security, and we wanted to stay focused on getting the pipeline back up and running."

The testimony comes a day after the FBI said it had recovered millions of dollars in bitcoin paid to the Darkside ransomware gang, which attacked the pipeline last month, prompting a shutdown of the East Coast's main fuel-supply artery. The stoppage led to gasoline hoarding and soaring prices as motorists filled tanks amid uncertainty about supplies.

On Monday, the DOJ said it seized 63.7 bitcoins valued at a total of about $2.3 million, part of the ransom demanded by Darkside. The criminal enterprise, which has since said it disbanded, is thought to be based in Russia.

The hack promoted the government to issue new cybersecurity regulations for operators of pipelines. The new security directive, issued by the DHS Transportation Security Administration, requires critical pipeline companies to report confirmed and potential cyberattacks to the US Cybersecurity and Infrastructure Security Agency. The directive also requires pipeline companies to undertake a review of their current security practices to identify any risks or gaps. Companies must report results of these reviews to the TSA and CISA within 30 days.

Watch this: America's energy crisis: How the Colonial Pipeline was shut down by a cyberattack

Colonial Pipeline didn't notify the CISA of the hack, which occurred before the new regulations were issued, because it was in contact with other federal authorities, Blount testified. 

Colonial closed pipeline operations on May 7, when a ransomware infection was found on its computer systems. The shutdown affected the supply of gas in parts of the East Coast, with some people waiting an hour or more at filling stations or failing to find gas at all. The pipeline restarted operations on May 13 and returned to full capacity on May 17.

The ransomware infection at Colonial highlighted the vulnerability of the country's critical infrastructure, which has been the target of an increasing number of cyberattacks. Cities, schools and hospitals have all been hit by cybercriminals, who scramble a victim's computers and then extort a payment to decrypt them.

On May 12, US President Joe Biden issued an executive order aimed at strengthening US cybersecurity. The wide-ranging order includes the creation of a Cyber Safety Review Board that'll convene after major incidents. Members of the Defense and Justice departments, several security agencies and private sector specialists will be on the board.

Here's what you need to know about the hack.

What happened?

Colonial Pipeline was hit with a ransomware attack. Bloomberg reported that hackers began the attack on May 6 by stealing about 100 gigabytes of data in a double extortion scheme that holds the data hostage and threatens to leak it. After discovering malicious software, the company shut some of its operations in order to prevent it from spreading.

What's a ransomware attack?

Hackers use ransomware -- a type of malware -- to scramble a company's computer data and hold it hostage until a ransom is paid. Sometimes they employ a double extortion scheme by pilfering data and threatening to publish it.

What was Colonial's immediate response?

The company, which operates pipelines for gasoline, jet fuel and other refined petroleum products, halted pipeline operations after discovering the hack. Colonial said it "proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations, and affected some of our IT systems."

Blount, the Colonial Pipeline CEO, later confirmed that he authorized a $4.4 million ransom payment to hackers in order to get the critical energy artery operating after it was closed. In a Wall Street Journal article published May 19, Blount acknowledged the decision was "controversial" but said it was in the country's best interest to get the pipeline running again. The company paid about 75 bitcoin in exchange for decryption software, The Journal reported. 

The executive reiterated some of those points in his Senate testimony.

"I made the decision to pay and I made the decision to keep the information about the payment as confidential as possible," Blount said, calling the decision the hardest he's had to make in 39 years in the energy industry.

Colonial services seven airports and operates in 14 states. Its system is the biggest in the US, the company says, covering more than 5,500 miles. A legend on company tanks featured on its website reads: "America's Energy Lifeline."

Who was behind the attack?

The FBI blamed Darkside, a ransomware group, for the attack. The law enforcement agency said it was notified of the hack on May 7 and investigated alongside the company and other government agencies.

As of May 14, Darkside appeared to have disbanded, according to The Wall Street Journal, which reported that the group told associates it had lost access to the infrastructure it needs for its activities. The group said law enforcement actions had prompted its decision, according to the Journal. 

Cybereason, a security company based in Boston, wrote that Darkside focuses on targets in English-speaking countries and avoids operations in "former Soviet bloc nations." In other words, Russia likely allows Darkside to operate without interference.

"We do not believe the Russian government was involved in this attack, but we do have strong reason to believe the criminals who did this attack are living in Russia," Biden said, according to The New York Times. "We have been in direct communication with Moscow about the imperative for responsible countries to take action against these ransomware networks."  

How prevalent are ransomware attacks?

Pretty common. City governments around the US, including Baltimore's and Atlanta's, have been slammed by ransomware attacks. Transit systems, including San Francisco's Muni and the Steamship Authority of Massachusetts, have been victims. Ireland's health service was attacked. In one case in Germany, a patient died because she had to be taken to a hospital nearly 20 miles away from her initial destination, which was dealing with a cyberattack.

Law enforcement discourages the ransom payments, but victims often pay to recover their data. Two cities in Florida -- Lake City and Riviera Beach -- together paid more than $1 million to unfreeze their systems. 

Watch this: Will you recognize the gas station of the future?

Correction, May 13, 8:44 a.m. PT: Fixes spelling of Cybereason.