THE operator of Colonial Pipeline, the largest fuel pipeline in the U.S., learned it was in trouble at daybreak May 7, when an employee found a ransom note from hackers on a control-room computer. By that night, the company’s chief executive came to a difficult conclusion: He had to pay.

Joseph Blount, CEO of Colonial Pipeline, told The Wall Street Journal in an interview published Wednesday that he authorized the ransom payment of US$4.4 million because executives were unsure how badly the cyberattack had breached its systems or how long it would take to bring the pipeline back.

This is the first public announcement by the company that a ransom had been paid and comes after repeated refusals from the company to discuss the payment, which Blount called “a highly controversial decision.”

“It was the right thing to do for the country,” he said in his first public remarks since the crippling hack. “I didn’t make it lightly. I will admit that I wasn’t comfortable seeing money go out the door to people like this.”

For years, the Federal Bureau of Investigation (FBI) has advised companies not to pay when hit with ransomware, a type of code that takes computer systems hostage and demands payment to have files unlocked. Doing so, officials have said, would support a booming criminal marketplace.

But many companies, municipalities and others debilitated by attacks do pay, concluding it is the only way to avoid costly disruptions to their operations.

Blount said Colonial paid the ransom in consultation with experts who had previously dealt with the criminal organization behind the attack.

In return for the payment, made in the form of bitcoin, about 75 in all, according to a person familiar with the matter, the company received a decryption tool to unlock the systems hackers penetrated. While it proved to be of some use, it was ultimately not enough to immediately restore the pipeline’s systems, the person said.

The 5,500-mile (8,851-kilometer) Colonial Pipeline system was closed after the most disruptive cyberattack on record May 7, preventing millions of barrels of gasoline, diesel and jet fuel from flowing to the East Coast from the Gulf Coast in the United States.

The pipeline wound up being shut down for six days. The stoppage spurred a run on gasoline along parts of the East Coast that pushed prices to the highest levels in more than six years and left thousands of gas stations without fuel.

The crisis was a test of leadership for Blount, 60, who has led the company since 2017. He had co-founded private equity-backed pipeline company Century Midstream LLC in 2013, after working as an executive and in other roles at energy companies over an almost 40-year career.

Over the past five years, Blount said, Colonial has invested about US$1.5 billion in maintaining the integrity of its pipeline system, and has spent US$200 million on IT.

For Blount, the cyberattack was akin to the Gulf Coast hurricanes that often force segments of pipelines and refineries to shut down for days or weeks. However, it was in some ways more devastating. Colonial Pipeline had never before been shut down all at once, he said.

The attack was discovered around 5:30 a.m. May 7 and quickly set off alarms through the company’s chain of command, reaching Blount less than a half hour later as he was getting ready for the workday. The company has stressed that operational systems weren’t directly impacted, and that it shut down pipeline flows while it investigated how deeply the hackers had gotten inside.

It took Colonial about an hour to shut the conduit, which has about 260 delivery points across 13 states and Washington, D.C. The move was also meant to prevent the infection from potentially migrating to the pipeline’s operational controls.

As Colonial shut the pipeline, employees were instructed not to log in to its corporate network, and executives made a volley of phone calls to federal authorities, starting with the FBI’s offices in Atlanta and San Francisco, as well as a representative from the Cybersecurity and Infrastructure Security Agency, or CISA, Blount said.

As Colonial prepared to restore service, its personnel patrolled the pipeline searching for any signs of physical damage, driving some 29,000 miles. The company dispatched nearly 300 workers to keep their eyes on the pipeline, supplementing its usual electronic monitoring, Blount said.

Though the pipeline’s flow of fuel has returned to normal, the impact of the hack hardly ended with the ransom payment. It will take months of restoration work to recover some business systems, and will ultimately cost Colonial tens of millions of dollars, Blount said, noting that it is still unable to bill customers following an outage of that system.

Another costly loss, Blount noted, was the company’s preferred level of anonymity.

“We were perfectly happy having no one know who Colonial Pipeline was, and unfortunately that’s not the case anymore,” he said. “Everybody in the world knows.”

DarkSide, a relatively new but prolific ransomware gang thought to be based in Eastern Europe, was held responsible for the compromise of the Colonial Pipeline networks, according to the FBI.

DarkSide operates under a “ransomware-as-a-service” structure, in which developers of the ransomware receive a share of the proceeds from the cybercriminal actors who deploy it, known as “affiliates.”

U.S. President Joe Biden said last week that there is “strong reason to believe” that the criminals who carried out the cyberattack are living in Russia.

Interestingly, the group posted something of an apology for the hack on its darknet website for the “social consequences.”

Although not directly referencing Colonial, it referred to “today’s news,” saying: “Our goal is to make money and not creating problems for society.”

“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for ... our motives. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

DarkSide has previously said it would start donating some of the extorted money to charities.

According to The New York Times cybersecurity reporter Nicole Perlroth, DarkSide isn’t necessarily associated with a specific nation-state, but it does tend to avoid holding victims for ransom if their systems are running in certain Russian and Eastern European languages. Bloomberg reports that the group is known to speak Russian.

Colonial Pipeline is the largest pipeline of refined oil products in the U.S. It transports more than 45 percent of all fuel used on the East Coast to more than 50 million people from New York to Texas.

The company, which is based in Alpharetta, Georgia, said May 15 that it returned its service to “normal operations.”

The hack on the company is seen as one of the most significant attacks on critical national infrastructure in the U.S. history.

For many people, the image of the oil industry is one of pipes, pumps and greasy black liquid. In truth, the type of modern operation Colonial Pipeline runs is extremely digital.

Pressure sensors, thermostats, valves and pumps are used to monitor and control the flow of diesel, petrol and jet fuel across hundreds of miles of piping.

Colonial even has a high-tech “smart pig” (pipeline inspection gauge) robot that scurries through its pipes checking for anomalies.

All this operational technology is connected to a central system.

And as experts explain, where there is connectivity, there is risk of cyberattack.

Direct attacks on operational technology are rare because these systems are usually better protected, experts say.

So it’s more likely the hackers gained access to Colonial’s computer system through the administrative side of the business.

Hackers could potentially have been inside Colonial’s IT network for weeks or even months before launching their ransomware attack.

(SD-Agencies)