In This Article:
Joseph Blount, the CEO of Colonial Pipeline, testified before Congress on Tuesday to answer questions regarding a ransomware attack on his company that cut off 45% of the fuel supply to the East Coast last month, leading to panic buying and gas shortages in a number of states.
“We believe the attacker exploited a legacy VPN profile that was not intended to be in use,” Blount said in his testimony before the Senate Homeland Security Committee. “We had cyberdefenses in place, but the unfortunate reality is that those defenses were compromised.”
Blount, who answered questions for roughly an hour and a half, was open about his company’s vulnerabilities in the lead-up to the attack that cost the company $4.4 million in ransom. He explained why he chose to pay the cybercriminal organization behind the attack, DarkSide, despite established recommendations by the FBI and Department of Homeland Security to avoid paying such ransoms.
“I made the decision to pay, and I made the decision to keep the information about the payment as confidential as possible,” Blount told senators. "It was the hardest decision I made in my 39 years in the energy industry, and I know how critical our pipeline is to the country, and I put the interest of the country first.”
Ransomware attacks occur when hackers access a victim’s network and encrypt important files that can only be unlocked by the hackers’ keys. The hackers, meanwhile, say they will provide the keys in exchange for a ransom.
But Colonial Pipeline suffered a two-stage ransomware attack: Hackers first encrypted important files and then threatened to release them online. While backing up files online can help mitigate some of the damage, it can often take weeks or months to fully recover from such attacks.
'Private industry alone can't do everything'
On Monday, Department of Justice officials said they recovered $2.3 million of the ransom Colonial Pipeline paid to DarkSide. The recovery is the first by the DOJ’s new ransomware task force launched in response to the spike in ransomware attacks in recent years.
During Tuesday’s Homeland Security Committee hearing, senators questioned how Blount views the role of the private and public sectors with regards to cybersecurity, and how exactly the breach occurred in the first place.
While Blount said that DarkSide exploited an older VPN profile, cybersecurity firm FireEye (FEYE) says a lack of multi-factor authentication for the VPN made the attack easier. Multi-factor authentication requires users to provide a secondary passcode in addition to their password when signing into an online account. It’s a standard cybersecurity practice that everyday users are advised to use with their own accounts.