- Colonial Pipeline President and CEO Joseph Blount defended the company's response to the cyberattack, which resulted in the company paying a $4.4 million ransom in Bitcoin and temporarily shut down fuel delivery for most of the East Coast and southern U.S. In testimony before the Senate Homeland Security & Government Affairs Committee, Blount apologized for authorizing the payment and withholding the information from the public, but said it was in the best interest of the country.
- "I made the decision to pay and I made the decision to keep the information about the payment as confidential as possible," he said, citing concerns about operational safety and security. Colonial Pipeline has rebuilt and restored its critical IT systems, but Blount said additional work needs to be done.
- The hackers exploited a legacy virtual private network profile the company no longer used, Blount said. Investigators are still trying to figure out how the attackers got the credentials used to exploit the profile.
The attack, which FBI officials attributed to the DarkSide ransomware gang, set off alarm bells across the nation about the vulnerability of the nation's critical infrastructure. The Georgia-based company is the largest refined products supplier in the U.S., providing 45% of the fuel supply to the East Coast.
The May 7 attack caused gasoline prices to soar and led panicked car owners to hoard gasoline before numerous stations temporarily shut down after running out of supply.
Security researchers and experts on industrial control say the Colonial Pipeline attack has exposed major gaps in the nation's cyber defense system that leave it vulnerable to additional attacks that could do significant damage to national security.
"Threat actors know that critical infrastructure systems are old and vulnerable, and they will leverage the success of the Colonial ransomware attack to up their game and hit more networks with even bigger ransom demands," Sam Curry, CSO at Cybereason said, via email.
During the hearing, Blount said legacy VPN profile did not offer the protection of multifactor authentication, making it relatively easy for a sophisticated attacker to breach the system once they gained access to user credentials. VPNs have been under attack by nation-state threat actors in recent months, subject to prior warnings by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA). Cybersecurity Dive reached out to CISA regarding the concurrence of the federal government's warnings and the Colonial VPN breach, but the agency had no further comment at the time of publication.
In a nod to the SolarWinds password hygiene controversy, Blount said the password used was not a "Colonial 123" type of password, but a complicated one. SolarWinds faced blowback during Congressional hearings in February when it was disclosed they had previously used "solarwinds 123" as a password that was leaked by an intern.
"The ransom gang targeted Colonial Pipeline simply because they identified obvious vulnerabilities that they could easily exploit," Anthony Grenga, vice president, cyber operations at IronNet Cybersecurity.
One lesson learned from the attack is companies do not just bounce back to normal operations immediately after paying a ransom. Colonial Pipeline officials conducted air surveillance and drove more than 29,000 miles to conduct manual inspection of its fuel pipeline, which runs from Texas up to New Jersey and has 260 delivery points along the way across 13 states and Washington D.C., according to Blount.
After paying the ransom and getting the decryption keys from the attackers, Blount said the company initially focused on restoring critical systems on the IT side that would allow the company to resume pipeline operations. But this week, Colonial Pipeline was working to restore seven financial systems that have been down since the week of May 7, Blount said.
"The keys are helpful, and we have used the keys, so they have been advantageous to us, but they are not perfect," Blount said.
Mandiant is leading the forensic investigation, however Colonial has also retained Rob Lee, CEO of Dragos, a specialist in industrial cybersecurity, to help with the probe as well as John Strand, owner of Black Hills Information Security.
Colonial Pipeline and Mandiant have worked very closely with federal authorities in their investigation of the attack. As part of a more aggressive response to ransomware and other malicious cyber activity, the FBI was able take back more than half of the Colonial Pipeline ransomware payment from DarkSide, federal officials announced this week.
The FBI seized 63.7 Bitcoin, the equivalent of $2.3 million, from the attackers by tracking multiple transfers of funds following a search warrant authorized by a federal magistrate judge in Northern California.
Deputy Attorney General Lisa Monaco said at a Monday press conference federal authorities were able to recover more than half the ransomware payments through the Department of Justice's Ransomware and Digital Extortion Task Force.