Colonial CEO "disappointed" in DHS cybersecurity agency comments
From CNN's Geneva Sands
Colonial Pipeline CEO Joseph Blount told lawmakers Tuesday he was "disappointed" to hear the Department of Homeland Security cybersecurity agency raised concerns about communications between the company and the federal agency.
Last month, DHS Cybersecurity and Infrastructure Security Agency acting director Brandon Wales testified that his agency was brought in by the FBI, not Colonial. Wales told Republican Sen. Rob Portman of Ohio at the previous hearing he did not think that Colonial would have contacted CISA directly, if not for the FBI reaching out.
When pressed, Wales said that there’s a "benefit when CISA is brought in quickly" because the agency can share it in a broader fashion to protect other critical infrastructure.
On Tuesday, Blount said his company has historically maintained communication with CISA.
"I was somewhat disappointed when I heard that they felt like if we hadn't gone in and contacted them the first day with the FBI that we would not have contacted them separately," Blount said.
11:09 a.m. ET, June 8, 2021
Colonial Pipeline CEO: We reached out to the FBI "within hours" of the attack
Storage tanks are seen at a Colonial Pipeline facility in New Jersey on May 12. Mark Kauzlarich/Bloomberg/Getty Images
Colonial Pipeline CEO Joseph Blount said that his company reached out to the FBI "within hours" of the ransomware attack.
Asked during questioning by Sen. Tom Carper, a Democrat from Delaware, about his contact with the FBI in the early hours of the May 7 attack, Blount said that Colonial first contacted the Atlanta office of the FBI. "They felt it was DarkSide," Blount said, referring to the criminal hacking group that official said carried out the attack.
From there, Blount said that Colonial was put in touch with the FBI's "DarkSide experts" who are California-based.
Some more context: Ahead of today's Senate hearing with Colonial Pipeline's CEO, US investigators announced they recovered millions in cryptocurrency they say was paid in ransom to hackers whose attack prompted the shutdown of the key East Coast pipeline last month, the Justice Department said Monday.
The announcement confirmed CNN's earlier reporting about the FBI-led operation, which was carried out with cooperation from Colonial Pipeline, the company that fell victim to the ransomware attack in question.
Specifically, the Justice Department said it seized approximately $2.3 million in Bitcoins paid to individuals in a criminal hacking group known as DarkSide. The FBI said it has been investigating DarkSide, which is said to share its malware tools with other criminal hackers, for over a year.
CNN's Evan Perez, Zachary Cohen and Alex Marquardt contributed reporting to this post.
10:37 a.m. ET, June 8, 2021
Colonial Pipeline CEO: "I made the decision to pay" the ransomware hackers
Pool
Colonial Pipeline CEO Joseph Blount said during his opening remarks "I made the decision to pay" the ransomware hackers that shut down the pipeline last month.
He said it was "the hardest decision" he's ever made in his career, adding, "I believe with all my heart it was the right choice to make."
Blount said that his company worked with law enforcement "from the start" including the Department of Justice and FBI, which "may have lead to the recovery this week" of millions paid to the hackers.
Blount's public testimony comes a day after the DOJ announced that US investigators recovered millions of dollars in cryptocurrency paid in ransom to hackers.
The company discovered the cyberattack on May 7 just before 5:00 a.m. when an employee found a ransom note on its IT network. The employee notified a supervisor who ordered the shutdown of the pipeline.
"Shutting down the pipeline was absolutely the right decision, and I stand by our employees’ decision to do what they were trained to do," Blount said in prepared remarks.
He said the decision was driven by the "imperative to isolate and contain the attack" to help ensure the malware on the IT network did not spread to the operational network, which controls the pipelines.
More on the ransomware attack: The process to shutdown 5,500 miles of pipelines took about 15 minutes and was complete by 6:10 am, according to Blount. In prepared remarks, he recognized the "gravity of the disruption that followed the shutdown, including panic-buying and shortages on the East Coast," and apologized to everyone impacted by this attack.
Colonial, which has around 950 employees, began returning all pipelines to service on Wednesday evening, May 12. As part of the restart process, the company increased air surveillance and drove over 29,000 miles for inspections of the pipeline to ensure physical security.
Last month after intense speculation, Blount publicly admitted he made the decision to pay the ransom to the hackers as the company tried to get its services up and running again.
CNN's Geneva Sands contributed reporting to this post.
10:22 a.m. ET, June 8, 2021
NOW: Colonial Pipeline CEO speaks before Senate committee on ransomware attack
From CNN's Geneva Sands
Pool
Colonial Pipeline CEO Joseph Blount is testifying in the Senate, a month after the company was hit with a debilitating ransomware attack that led to a halt in operations at one of America's most important fuel pipelines.
Blount will face lawmakers for the first time since a six-day shutdown of the pipeline in May led to panic buying and widespread gas station outages in the Southeast.
The Colonial incident, followed several weeks later by a cyberattack on a major US meat producer, highlighted the grave risk that ransomware can have for businesses and vital services throughout the US, as criminals have increasingly had success targeting large enterprises.
Ransomware attacks have grown in both scope and sophistication in the last year, Deputy Attorney General Lisa Monaco said Monday, calling it an "epidemic."
Blount admitted last month that he authorized a ransom payment of $4.4 million, calling it a "highly controversial decision," in an interview at the time.
GOP Sen. Portman says "there's a lot more work to do" on cybersecurity
Ranking member Sen. Rob Portman, a Republican from Ohio, noted during opening remarks in a Senate hearing that the attack on Colonial Pipeline is not an "isolated incident."
He said that Congress has done a lot of good work on cybersecurity but "there's a lot more work to do."
Portman said that along with impacting the companies with cyber attacks that paralyze "companies until ransom is paid," ramsonware attackers are employing a "two prong" approach by threatening to release "sensitive victim data."
The GOP senator said that there "seems to be a new ransomware attack every week" and "no entity is safe." He noted that after the Colonial Pipeline attack hackers went after the US's largest meat processor, JBS.
9:46 a.m. ET, June 8, 2021
Why hackers are targeting physical infrastructure
From CNN's Rishi Iyengar and Clare Duffy
An aerial view of the JBS beef plant in Greeley, Colorado, on June 1. Michael Ciaglo/Bloomberg/Getty Images
Many people think of cyberattacks as just that: an attempt by hackers to steal sensitive data or money online. But now hackers have found a significant moneymaker in targeting physical infrastructure.
These attacks have the potential to spark mayhem in people's lives, leading to product shortages, higher prices and more. The greater the disruption, the greater the likelihood that companies will pay to alleviate it.
"If you're a ransomware actor, your goal is to inflict as much pain as possible to compel these companies to pay you," said Katell Thielemann, Gartner's vice president analyst for security and risk management. "This is beyond cybersecurity only, this is now a cyber-physical event where actual, physical-world processes get halted. When you can target companies in those environments, clearly that's where the most pain is felt because that's where they make money."
Multiple recent ransomware attacks have originated from Russia, according to US officials. Last Wednesday, the FBI attributed the attack on meat producer JBS to Russia-based cybercriminal group called REvil, which also tried to extort Apple supplier Quanta Computer earlier this year. REvil is similar to DarkSide, the group US officials said was behind the ransomware attack that shut down the Colonial Pipeline last month.
Experts say both REvil and DarkSide operate what are essentially "ransomware-as-a-service" businesses, often employing large staffs to create tools to help others execute ransomware attacks, and taking a cut of the profits. In some cases, they also carry out their own attacks. Russian law enforcement typically leaves such groups operating within the country alone if their targets are elsewhere because they bring money into the country, cybersecurity experts say.
The list of potential targets is long. The US government's Cybersecurity and Infrastructure Agency (CISA) lists 16 different industries as "critical infrastructure sectors," including energy, healthcare, financial services, water, transportation, food and agriculture, the compromise of which could have a "debilitating effect" on the US economy and security. But experts say much of this infrastructure is aging, and its cyber defenses haven't kept up with the evolution of bad actors.
From CNN's Evan Perez, Zachary Cohen and Alex Marquardt
An aerial view of fuel holding tanks at Colonial Pipeline's Dorsey Junction Station in Woodbine, Maryland, on May 13. Drew Angerer/Getty Images
The Justice Department announced Monday that investigators recovered millions in cryptocurrency they say was paid in ransom to hackers whose attack prompted the shutdown of the key East Coast pipeline last month.
The announcement confirms CNN's earlier reporting about the FBI-led operation, which was carried out with cooperation from Colonial Pipeline, the company that fell victim to the ransomware attack in question.
Specifically, the Justice Department said it seized approximately $2.3 million in Bitcoins paid to individuals in a criminal hacking group known as DarkSide. The FBI said it has been investigating DarkSide, which is said to share its malware tools with other criminal hackers, for over a year.
The ransom recovery, which is the first seizure undertaken by the recently created DOJ digital extortion taskforce, is a rare outcome for a company that has fallen victim to a debilitating cyberattack in the booming criminal business of ransomware.
Colonial Pipeline Co. CEO Joseph Blount told The Wall Street Journal in an interview published last month that the company complied with the $4.4 million ransom demand because officials didn't know the extent of the intrusion by hackers and how long it would take to restore operations.
But behind the scenes, the company had taken early steps to notify the FBI and followed instructions that helped investigators track the payment to a cryptocurrency wallet used by the hackers, believed to be based in Russia.
"Following the money remains one of the most basic, yet powerful, tools we have," Deputy Attorney General Lisa Monaco said Monday during the DOJ announcement, which followed CNN's reporting about the recovery operation. "Ransom payments are the fuel that propels the digital extortion engine, and today's announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises."
Colonial Pipeline CEO will testify this morning about last month's cyberattack
The CEO of Colonial Pipeline is set to testify to lawmakers today after a cyberattack caused a six-day shutdown of the pipeline that delivers nearly half of all the diesel and gasoline consumed on the East Coast of the United States.
Joseph Blount, who has run the Colonial Pipeline company for nearly four years, will appear today before the Senate Homeland Security Committee. He is expected to testify Wednesday before the House Committee on Homeland Security in a hearing called "Cyber Threats in the Pipeline: Using Lessons from the Colonial Ransomware Attack to Defend Critical Infrastructure."
