Colonial Pipeline’s CEO on Tuesday apologized for the impact that a cyberattack had on the American public.
“We are deeply sorry for the impact that this attack had but we were also heartened by the resilience of our country and of our company,” Colonial Pipeline President and CEO Joseph Blount told members of a Senate panel in Washington.
Colonial’s approximately 5,500-mile pipeline, which runs from Texas to New Jersey and supplies major hubs across the southeastern United States, was taken offline last month by the company in response to a ransomware attack that’s been pinned on a cybercriminal group called DarkSide.
After news of the situation broke, station outages climbed over 16,000, and gas prices surged.
Colonial eventually restored its systems and brought its fuel conduit back online. Most stations now have gas, according to GasBuddy’s last outage update on June 1.
DarkSide is a ransomware-for-hire service, which enables hackers to leverage a group’s technology in exchange for a portion of the profit. Hackers locked portions of Colonial’s system on May 7 and demanded a ransom. Colonial the following day paid 75 bitcoins worth approximately $4.4 million.
“I made the decision to pay and I made the decision to keep the information about the payment as confidential as possible. It was the hardest decision I’ve made in my 39 years in the energy industry and I know how critical our pipeline is to the country and I put the interests of the country first,” Blount told lawmakers on Tuesday.
Blount said he wanted the focus to remain on getting the pipeline back up and running and believes he made the right choice. He also said the decryption tool that Colonial received in exchange for the payment did work, rebutting an earlier Wall Street Journal story.
Senators expressed concern at how a single attack could have such dramatic consequences.
“I’m glad your company continues to recover from this malicious attack, and that the FBI was able to recover millions of dollars in ransom paid. But I am alarmed that this breach ever occurred in the first place, and that communities from Texas to New York suffered as a result,” Sen. Gary Peters (D-Mich.), chairman of the Senate Homeland Security and Governmental Affairs Committee, said during the hearing.
The Department of Justice announced Monday that it was able to seize most of the bitcoins.
Peters wondered how the attacks were able to gain access to Colonial’s network in just two hours before locking parts of it until payment was rendered.
Sen. Rob Portman (R-Ohio), the top Republican on the panel, noted that news reports citing cybersecurity experts had described the hackers as getting into the network by compromising a virtual private network, or VPN, that did not use multi-factor authentication, considered a basic cyber defense.
Blount said a preliminary investigation indicates attackers did exploit what he said was a “legacy VPN profile that was not intended to be in use.”
The password was not a simple one like “Colonial123,” the CEO said.
“We had cyber defenses in place, but the unfortunate reality is that those defenses were compromised,” he added. The company is working on boosting its cyber defenses but still has a ways to go.
Lawmakers have introduced a flurry of bills in the wake of the attack and others like it, including one that crippled JBS, a major meat producer. One seeks to harden America’s critical systems while another would up the penalties that foreign actors face for attacking key infrastructure.
“We are clearly experiencing relentless and unprecedented assaults against both our private and public sector information systems and we’re getting those assaults by both criminal organizations as well as foreign adversaries, and this is a grave national security concern,” Peters said. “And certainly from the questions that were posed today by all of my colleagues, I think it’s clear that my colleagues believe this is something that we need to address immediately and in a comprehensive fashion.”