Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom

San Francisco CA

Description

the operator of the Colonial Pipeline learned it was in trouble at daybreak on May 7, when an employee found a ransom note from hackers on a control-room computer. By that night, the company’s chief executive officer came to a difficult conclusion: He had to pay. Joseph Blount, CEO of Colonial Pipeline Co., told The Wall Street Journal that he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems, and consequently, how long it would take to bring the pipeline back. Mr. Blount acknowledged publicly for the first time that the company had paid the ransom, saying it was an option he felt he had to exercise, given the stakes involved in a shutdown of such critical energy infrastructure. The Colonial Pipeline provides roughly 45% of the fuel for the East Coast, according to the company. “I know that’s a highly controversial decision,” Mr. Blount said in his first public remarks since the crippling hack. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.” “But it was the right thing to do for the country,” he added. Joseph Blount, the Colonial Pipeline CEO, said the cyberattack would ultimately cost the company tens of millions of dollars. Photo: Colonial Pipeline In return for the payment—made in the form of bitcoin, about 75 in all, according to a person familiar with the matter—the company received a decryption tool to unlock the systems that hackers penetrated. While it proved to be of some use, it ultimately wasn’t enough to immediately restore the pipeline’s systems, the person said. The pipeline, which transports gasoline, diesel, jet fuel and other refined products from the Gulf Coast to Linden, N.J., wound up being shut down for six days. The stoppage spurred a run on gasoline along parts of the East Coast that pushed prices to the highest levels in more than 6 ½ years and left thousands of gas stations without fuel. East Coast stockpiles of gasoline dropped by about 4.6 million barrels last week, the steepest weekly drop since late February, Energy Department data showed. For years, the Federal Bureau of Investigation has advised companies not to pay when hit with ransomware, a type of code that takes computer systems hostage and demands payment to have files unlocked. Doing so, officials have said, would support a booming criminal marketplace. But many companies, municipalities and others debilitated by attacks do pay, concluding it is the only way to avoid costly disruptions to their operations. SHARE YOUR THOUGHTS Should companies victimized by ransomware pay hackers? Why or why not? Join the conversation below. Paying ransoms to hackers can encourage more criminal activity and often doesn’t lead to a restoration of systems, said Ciaran Martin, the former head of the National Cyber Security Center, the British government’s cybersecurity agency. Companies should consider those factors when deciding whether to pay, he said. “There are three problems contributing to the ransomware crisis,” Mr. Martin said. “One is Russia sheltering organized crime. A second is weak cybersecurity in too many places. But the third, and most corrosive, problem is that the business model works spectacularly for the criminals.” U.S. officials have linked the ransomware attack on Colonial to a criminal gang known as DarkSide, believed to be based in Eastern Europe, which specializes in crafting the malware used to breach systems and shares it with affiliates—for a cut of the ransoms they obtain. On Friday, DarkSide said it had lost access to its infrastructure and was shutting down, though it was unclear if the group was targeted by a law-enforcement action or seeking to go underground and regroup later. Mr. Blount said Colonial paid the ransom in consultation with experts who had previously dealt with the criminal organization. He and others involved declined to detail who assisted in those negotiations. Colonial said it has cyber insurance, but declined to provide details on ransomware-related coverage. Sometimes ransomware gangs will encrypt computers and backup systems, leaving victims with no option aside from paying the ransom, said David Kennedy, chief executive of security company TrustedSec LLC, which has investigated about a dozen ransomware cases involving DarkSide over the past nine months. How Vulnerable Is U.S. Energy Infrastructure to Future Cyberattacks? How Vulnerable Is U.S. Energy Infrastructure to Future Cyberattacks? How Vulnerable Is U.S. Energy Infrastructure to Future Cyberattacks? A cyberattack on the U.S.’s largest fuel pipeline on May 7 forced a shutdown that triggered a spike in gas prices and shortages in parts of the Southeast. WSJ explains just how vulnerable the nation’s critical energy infrastructure is to attack. Photo illustration: Liz Ornitz/WSJ “I’m against paying ransom, because every time you pay these groups, you’re helping them expand their capabilities,” he said. “But companies are literally brought to their knees with no other option.” Last week, Anne Neuberger, the White House deputy national security advisor for cyber and emerging technology, said the Biden administration hadn’t made a recommendation to Colonial on whether it should pay. But she said that the White House recognized it was sometimes not a feasible option for companies to decline payment, especially those that don’t have backup files or other means of recovering data. She added that the administration wanted to work with international partners to review how governments assist victims and “ensure that we’re not encouraging the rise of ransomware.” The pipeline company, which is based in Alpharetta, Ga. and owned by units of IFM Investors, Koch Industries Inc., KKR & Co. and Royal Dutch Shell PLC, restored service on the pipeline last week. It said Monday that it was transporting fuel at normal levels, though it warned that it would take time for the supply chain to recover. The crisis was a test of leadership for Mr. Blount, 60 years old, who has led the company since 2017. He had co-founded private equity-backed pipeline company Century Midstream LLC in 2013, after working as an executive and in other roles at energy companies over an almost 40-year career. Over the past five years, Mr. Blount said, Colonial has invested about $1.5 billion in maintaining the integrity of its 5,500-mile pipeline system, and has spent $200 million on IT. For Mr. Blount, the cyberattack was akin to the Gulf Coast hurricanes that often force segments of pipelines and refineries to shut down for days or weeks. However, it was in some ways more devastating. The Colonial Pipeline had never before been shut down all at once, he said. The attack was discovered around 5:30 a.m. on May 7 and quickly set off alarms through the company’s chain of command, reaching Mr. Blount less than a half-hour later as he was getting ready for the workday. The company has stressed that operational systems weren’t directly impacted, and that it shut down pipeline flows while it investigated how deeply the hackers had gotten inside.