The operator of the Colonial Pipeline learned it was in trouble at daybreak on May 7, when an employee found a ransom note from hackers on a control-room computer. By that night, the company’s chief executive officer came to a difficult conclusion: He had to pay.
CEO of Colonial Pipeline Co., told The Wall Street Journal that he authorized the ransom payment of $4.4 million because executives were unsure how badly the cyberattack had breached its systems, and consequently, how long it would take to bring the pipeline back.
Mr. Blount acknowledged publicly for the first time that the company had paid the ransom, saying it was an option he felt he had to exercise, given the stakes involved in a shutdown of such critical energy infrastructure. The Colonial Pipeline provides roughly 45% of the fuel for the East Coast, according to the company.
“I know that’s a highly controversial decision,” Mr. Blount said in his first public remarks since the crippling hack. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.”
“But it was the right thing to do for the country,” he added.
In return for the payment—made in the form of bitcoin, about 75 in all, according to a person familiar with the matter—the company received a decryption tool to unlock the systems that hackers penetrated. While it proved to be of some use, it ultimately wasn’t enough to immediately restore the pipeline’s systems, the person said.
The pipeline, which transports gasoline, diesel, jet fuel and other refined products from the Gulf Coast to Linden, N.J., wound up being shut down for six days. The stoppage spurred a run on gasoline along parts of the East Coast that pushed prices to the highest levels in more than 6 ½ years and left thousands of gas stations without fuel.
East Coast stockpiles of gasoline dropped by about 4.6 million barrels last week, the steepest weekly drop since late February, Energy Department data showed.
For years, the Federal Bureau of Investigation has advised companies not to pay when hit with ransomware, a type of code that takes computer systems hostage and demands payment to have files unlocked. Doing so, officials have said, would support a booming criminal marketplace.
But many companies, municipalities and others debilitated by attacks do pay, concluding it is the only way to avoid costly disruptions to their operations.
SHARE YOUR THOUGHTS
Should companies victimized by ransomware pay hackers? Why or why not? Join the conversation below.
Paying ransoms to hackers can encourage more criminal activity and often doesn’t lead to a restoration of systems, said Ciaran Martin, the former head of the National Cyber Security Center, the British government’s cybersecurity agency. Companies should consider those factors when deciding whether to pay, he said.
“There are three problems contributing to the ransomware crisis,” Mr. Martin said. “One is Russia sheltering organized crime. A second is weak cybersecurity in too many places. But the third, and most corrosive, problem is that the business model works spectacularly for the criminals.”
U.S. officials have linked the ransomware attack on Colonial to a criminal gang known as DarkSide, believed to be based in Eastern Europe, which specializes in crafting the malware used to breach systems and shares it with affiliates—for a cut of the ransoms they obtain.
On Friday, DarkSide said it had lost access to its infrastructure and was shutting down, though it was unclear if the group was targeted by a law-enforcement action or seeking to go underground and regroup later.
Mr. Blount said Colonial paid the ransom in consultation with experts who had previously dealt with the criminal organization. He and others involved declined to detail who assisted in those negotiations. Colonial said it has cyber insurance, but declined to provide details on ransomware-related coverage.
Sometimes ransomware gangs will encrypt computers and backup systems, leaving victims with no option aside from paying the ransom, said David Kennedy, chief executive of security company TrustedSec LLC, which has investigated about a dozen ransomware cases involving DarkSide over the past nine months.
“I’m against paying ransom, because every time you pay these groups, you’re helping them expand their capabilities,” he said. “But companies are literally brought to their knees with no other option.”
Last week, Anne Neuberger, the White House deputy national security advisor for cyber and emerging technology, said the Biden administration hadn’t made a recommendation to Colonial on whether it should pay.
But she said that the White House recognized it was sometimes not a feasible option for companies to decline payment, especially those that don’t have backup files or other means of recovering data. She added that the administration wanted to work with international partners to review how governments assist victims and “ensure that we’re not encouraging the rise of ransomware.”
The pipeline company, which is based in Alpharetta, Ga. and owned by units of IFM Investors, Koch Industries Inc., KKR & Co. and Royal Dutch Shell PLC, restored service on the pipeline last week. It said Monday that it was transporting fuel at normal levels, though it warned that it would take time for the supply chain to recover.
The crisis was a test of leadership for Mr. Blount, 60 years old, who has led the company since 2017. He had co-founded private equity-backed pipeline company Century Midstream LLC in 2013, after working as an executive and in other roles at energy companies over an almost 40-year career.
Over the past five years, Mr. Blount said, Colonial has invested about $1.5 billion in maintaining the integrity of its 5,500-mile pipeline system, and has spent $200 million on IT.
For Mr. Blount, the cyberattack was akin to the Gulf Coast hurricanes that often force segments of pipelines and refineries to shut down for days or weeks. However, it was in some ways more devastating. The Colonial Pipeline had never before been shut down all at once, he said.
The attack was discovered around 5:30 a.m. on May 7 and quickly set off alarms through the company’s chain of command, reaching Mr. Blount less than a half-hour later as he was getting ready for the workday. The company has stressed that operational systems weren’t directly impacted, and that it shut down pipeline flows while it investigated how deeply the hackers had gotten inside.
It took Colonial about an hour to shut the conduit, which has about 260 delivery points across 13 states and Washington, D.C. The move was also meant to prevent the infection from potentially migrating to the pipeline’s operational controls.
As Colonial shut the pipeline, employees were instructed not to log in to its corporate network, and executives made a volley of phone calls to federal authorities, starting with the FBI’s offices in Atlanta and San Francisco, as well as a representative from the Cybersecurity and Infrastructure Security Agency, or CISA, Mr. Blount said.
CISA officials confirmed Colonial representatives informed them of the hack shortly after the incident occurred. FBI representatives didn’t respond to requests for comment.
Over the next several days, the Energy Department acted as a conduit through which Colonial could provide updates to multiple federal agencies involved in the response, Mr. Blount said. Energy Secretary
and Deputy Secretary David Turk stayed in regular contact with the company, in part to “gain information to guide the federal response,” Energy Department spokesman Kevin Liao said.
As Colonial prepared to restore service, its personnel patrolled the pipeline searching for any signs of physical damage, driving some 29,000 miles. The company dispatched nearly 300 workers to keep their eyes on the pipeline, supplementing its usual electronic monitoring, Mr. Blount said.
Though the pipeline’s flow of fuel has returned to normal, the impact of the hack hardly ended with the ransom payment. It will take months of restoration work to recover some business systems, and will ultimately cost Colonial tens of millions of dollars, Mr. Blount said, noting that it is still unable to bill customers following an outage of that system.
Another costly loss, Mr. Blount noted, was the company’s preferred level of anonymity.
“We were perfectly happy having no one know who Colonial Pipeline was, and unfortunately that’s not the case anymore,” he said. “Everybody in the world knows.”
—Robert McMillan contributed to this article.
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8