Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cyber Insurance

House Probes Specifics of Colonial Ransomware Attack

CEO Continues to Answer Questions on Paying Ransom and Company Response
House Probes Specifics of Colonial Ransomware Attack
Reps. Bennie Thompson (left) and John Katko of the House Homeland Security Committee

Colonial Pipeline Co. CEO Joseph Blount returned to Capitol Hill on Wednesday to answer additional questions from lawmakers about his company's response to the ransomware attack that affected the firm's operation for nearly a week, as well as his decision to pay the attackers.

See Also: A Strategic Roadmap for Zero Trust Security Implementation

For more than two hours Wednesday, Blount answered questions from Republicans and Democrats on the House Committee on Homeland Security about the ransomware attack. The CEO told lawmakers that his company didn't notify the FBI for four days that the ransom had been paid, and representatives also heard testimony that the attackers likely compromised the company's network in April.

During the hearing, lawmakers also pressed Blount not only about his company's response, but about what this incident means for the security of the nation's other critical infrastructure.

Rep. John Katko, R-N.Y., the committee's ranking member, noted during his opening statement that companies such as Colonial Pipeline are the key to the nation's critical infrastructure and need to do more to enhance their cybersecurity, which includes investing in their security and working with federal government agencies, such as the U.S. Cybersecurity and Infrastructure Security Agency.

"While I don't think a culture of blaming the victim is ultimately constructive, clearly we can all do better to protect our critical networks," Katko noted during Wednesday's virtual hearing. "Clearly, we can all do better to protect our critical infrastructure networks. I appreciate Colonial Pipeline's identification of places where they are now hardening systems in response to the devastating attack in May. But this begs the question: If your pipeline provides fuel to 45% of the East Coast, why are you only hardening your systems after an attack has occurred? Why was this not done beforehand?"

Rep. Bennie Thompson, D-Miss., the committee chairman, sounded a similar concern about the bigger implications for critical infrastructure.

"The potential impact of a long-term shutdown of the country's biggest pipeline crystalized the devastating consequences of ransomware," Thompson said. "More importantly, it raised serious questions about the cybersecurity practices of critical infrastructure owners and operators and whether voluntary cybersecurity standards are sufficient to defend ourselves against today's cyberthreats."

Thompson noted that while he was pleased to see that the Transportation Security Administration, which oversees security for the nation's interstate gas and oil pipelines, has issued new security directives, he believes that more will likely need to be done (see: DHS Unveils New Cybersecurity Requirements for Pipelines).

During his opening statement, Blount noted that since the May 7 ransomware attack, his company has worked with outside consultants and its internal security and IT teams as well as the federal government to address the security issues that were exposed during the incident.

"We are further hardening our cyber defenses," Blount testified. "We have rebuilt and restored our critical IT systems and are continuing to enhance our safeguards. While we are not yet where I want us to be, I know that if my CIO needs resources, she will get them."

Continuing Testimony

Blount's testimony before the House committee on Wednesday was the second time this week that the CEO has faced questions about his company's response to the ransomware attacks that crippled Colonial Pipeline's operations. On Tuesday, he testified before the Senate Homeland Security and Governmental Affairs Committee, where he defended his company's actions and willingness to pay the $4.4 million ransom (see: Colonial CEO at Senate Hearing Details Ransomware Attack).

Colonial Pipeline CEO Joseph Blount testifying before a House hearing on Wednesday

On Monday, the U.S. Justice Department and the FBI announced that investigators were able to claw back $2.3 million of the $4.4 million ransom Colonial Pipeline paid to the attackers, which appears to have been split between the main DarkSide ransomware group and one of its affiliates. While federal authorities did not release specific details, the FBI appears to have tracked part of the payment to a bitcoin wallet it controls, enabling law enforcement officials to recover the money (see: $2.3 Million of Colonial Pipeline Ransom Payment Recovered).

"I hope Colonial will use the recouped money to make necessary improvements to its cybersecurity," Thompson noted.

Besides Blount, lawmakers also heard testimony Wednesday from Charles Carmakal, senior vice president and CTO of FireEye Mandiant, who offered further details about the attack and additional insights into the DarkSide ransomware gang, which the FBI suspects of carrying out the attack.

In his opening statement, Carmakal explained that FireEye Mandiant was first contacted by a law firm working for Colonial Pipeline on May 7 - the day the ransomware attack was detected. The incident response team later discovered that the attackers had compromised the company's network on April 29, using credentials for a legacy VPN application that the IT team had been unaware was still attached to the network. The VPN also lacked protections such as multifactor authentication.

"The earliest evidence of compromise that we have identified to date occurred on April 29, 2021. On that date, the threat actor had logged into a virtual private network appliance using a legacy VPN profile and an employee's username and password," Carmakal noted. "The legacy VPN profile did not require a one-time passcode to be provided. The legacy VPN profile has since been disabled as part of Colonial Pipeline's remediation process."

Carmakal later testified that it appears the password - which he described as complex and unique - used to first gain access to the VPN was stolen when another website was compromised, although he could not state specifically if that was the case.

CISA and FBI Investigation

Blount testified that the decision to pay the ransom was made by him alone and he did so to restore service and get fuel moving through the company's 5,500-mile pipeline that was shut down due to the attack. During his testimony, he noted that while the company contacted the FBI within hours of finding the attack, he didn't notify the bureau of the payment until two days later on Wednesday, May 12. The CEO added that he did not consult with the FBI or any other officials about the payment.

Charles Carmakal, CTO of FireEye, testifying Tuesday

Blount also faced questions about when and where Colonial Pipeline engaged with CISA about the incident. The CEO testified that his firm called the FBI first and agents later brought CISA into the investigation (see: CISA Awaits Technical Details on Colonial Pipeline Attack).

Since then, Blount said, Colonial Pipeline has relied on outside consultants, such as FireEye and Dragos, to review the company's IT and operational technology security, but has not asked CISA for a review. This drew condemnation from Rep. Jim Langevin, D-R.I.

"In his testimony in front of the Senate yesterday, Mr. Blount used the word 'transparent' eight times, yet he continues to block the federal government’s premier cyber agency from ensuring that Colonial Pipeline’s networks are secure," Langevin said after Wednesday's hearing. "Mr. Blount's intransigence is all the more ridiculous because he has admitted that some of Colonial's systems still remain damaged and offline."

Questions About Ransom Payment

Several lawmakers questioned Blount about his decision to pay the ransom to the attackers. The CEO testified that he had made the decision soon after the incident was discovered because he was not sure how fast the company could recover and resume operations.

Blount also noted that Colonial Pipeline does have cyber insurance and that a claim to recoup the ransom payment has been made. "We do have cyber insurance [and] we've had cyber insurance for quite some time. We have submitted a claim for that ransom payment, and I haven't had that confirmed to me yet, but I suspect that it will be covered," he said.

When asked about the decryptor key that the gang sent once the ransom was paid, Carmakal testified that it did work as advertised, but that Colonial Pipeline was able to recover its IT systems using backups.


About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.