Company’s IT Team Was Unaware the VPN Exploited to Gain Entry Existed
Colonial Pipeline Co. CEO Joseph Blount defended his actions during the opening hours of the May 7 DarkSide ransomware attack against his company as several lawmakers on the U.S. Senate Homeland Security and Governmental Affairs Committee grilled the executive for over two hours on Tuesday.
Senators peppered Blount with multiple questions, including why he decided to pay DarkSide’s $4.3 million ransom demand, whether Colonial checked with the Treasury Department’s Office of Foreign Assets Control before paying the ransom, and why the company did not call the U.S. Cybersecurity and Infrastructure Agency immediately when the attack happened?
“I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible. I know how critical our pipeline is to the country, and I put the interests of the country first,” Blount told senators.
Colonial’s CEO also told the committee that he believed he was within his right to decide to pay, even though the FBI and CISA recommend not paying.
“It was our understanding that the decision was solely ours as a private company to make the decision about whether to pay or not to pay. And considering the consequences of potentially not bringing the pipeline back on as quickly as I possibly could, I chose the option to make the ransom payment,” he said.
On Monday, the Justice Department announced it had recovered about half of the ransom payment by following the bitcoin payment’s path (see: $2.3 Million of Colonial Pipeline Ransom Payment Recovered).
During the hearing, Blount also revealed that Colonial Pipeline’s IT team was unaware of the existence of the VPN that the DarkSide attackers appear to have exploited, as the application did not appear on any of its scans. He also noted that while the company made the decision to pay the ransom on May 7, the payment did not take place until May 8.
The attack caused Colonial to temporarily shut down its pipeline operation, crippling the distribution of gasoline and other fuel supplies along the East Coast through the company’s 5,500 miles of pipeline and leaving gas stations in several states dry as panicky motorists filled up their cars.
The investigation into the attack by security firm FireEye revealed last week that DarkSide gained initial access to Colonial through what Blount described as a “legacy VPN” that the company’s IT staff did not know existed.
Blount confirmed that the VPN in question used a compromised password and that it did not require multifactor authentication to access.
“It was a complicated password so I want to be clear on that. It was not a ‘colonial 123’-type password,” he said.
Blount did acknowledge that multifactor authentication is part of any good cybersecurity hygiene program and the reason this VPN was not so equipped was that the VPN was essentially invisible.
“I did reference earlier that the VPN was a legacy VPN we could not see, and it did not show up in any testing. That’s unfortunate,” he said.
Committee Chairman Sen. Gary Peters, D-Mich., and ranking member Sen. Rob Portman, R-Ohio, asked how Blount made the decision to pay the ransom.
“Paying ransoms rewards ransomware hackers. If no one paid ransoms, then those would have little incentive to engage in ransomware attacks. And even if an entity pays, there’s no guarantee that the hackers will give them the decryption key or not strike again,” Portman said.
Blount reiterated a statement he made on May 19, saying that the guiding principle he followed was that paying the ransom “was the right thing to do for the country,” and not making the payment public was necessary at the time.
He cited fears over emergency vehicles, airlines and drivers being unable to fuel their vehicles as his overriding concern that led to the May 7 decision to pay.
“I kept the information closely held because we were concerned about operational safety and security, and we wanted to stay focused on getting the pipeline back up and running. I believe with all my heart it was the right choice to make,” Blount said.
When asked by Portman if the FBI recommended paying the ransom, Blount said he was not directly involved in discussions with that bureau.
Blount gave a similar answer when Portman asked if Colonial had checked with OFAC to see if that agency had DarkSide listed as a sanctioned group. If so, it would have made any ransom payment a federal offense, he said. “I can assure you that everyone involved in that process continually fact-checked to make sure that this was not an OFAC-listed entity.”
“I was not involved in those conversations and so I can’t attest to who actually talked to who. But I do know that repeatedly throughout the process, the fact of whether DarkSide was on the sanctions list or not was fact-checked repeatedly,” he told Portman.
Was CISA Called?
Blount was questioned repeatedly by several committee members on the timeline of when Colonial brought in the different federal agencies to help after the breach. The senators were concerned that the company did not immediately contact CISA, but instead called the FBI’s Atlanta office.
Blount said the company reacted properly by calling the FBI within hours of the attack and explained that his company did not contact CISA because the FBI intended to bring that agency into the discussion.
“We contacted the FBI almost immediately that morning once we’d determined that we were under attack. In that conversation with the FBI that morning, they frankly said, ‘We want to get on a phone call later today. We’re going to bring CISA into the conversation.’ And so at that point, we already knew the contact would be made there,” he told the committee.
Blount commended the FBI and CISA and the outside firms Mandiant and Dragos for helping the company recover from the attack. He did not say when Colonial would return to its pre-attack state, noting that seven finance systems were brought back online Tuesday for the first time since the attack.
Blount will be back on Capitol Hill on Wednesday to appear before the House Homeland Security Committee.