Colonial Pipeline paid a $ 5 million ransom the day after the hack, the CEO instructed the Senate

Joseph Blount, JR., President and Chief Executive Officer of Colonial Pipeline, is sworn in while attending a hearing to investigate threats to critical infrastructure.

Andrew Caballero-Reynolds | Reuters

WASHINGTON – Colonial Pipeline’s CEO told a Senate committee Tuesday that the company paid the $ 5 million ransom money and crippled fuel shipments along the east coast one day after cybercriminals from Russia hacked its IT network.

Joseph Blount Jr. made prepared notes to the Senate Homeland Security and Government Affairs Committee that the company learned of the attack shortly before 5:00 a.m. on May 7 when an employee discovered a ransom note on a system on the IT network.

The note states that hackers “exfiltrated” material from the company’s shared internal drive and charged approximately $ 5 million in exchange for the files.

The company was attacked by a ransomware program developed by DarkSide, a group of cyber criminals believed to be operating out of Russia.

Blount said that shortly after the ransom note was discovered, the employee notified a manager and a decision was made to close the entire pipeline immediately.

“At around 5:55 am, employees began shutting down,” wrote Blount. “At 6:10 am they confirmed that all 5,500 miles of pipelines had been shut down.”

The decision to close the entire pipeline was driven by “the need to isolate and contain the attack to ensure the malware does not spread to the Operational Technology network that controls our pipeline operations, if it isn’t already happened. “

The shutdown caused significant disruption to gas delivery along the east coast as trucks struggled to refill gas stations and long lines at pumps, especially in the southeast. Flight operations were also interrupted.

Blount’s testimony revealed how quickly the company decided to cease operations and provided new details on the first few days after the attack.

The company believes attackers “exploited an older virtual private network profile that shouldn’t be used,” Blount told Senators.

However, he admitted that the account was not protected by the multifactor authentication that is currently the company standard in most operations. However, Blount said the password was complicated. “It wasn’t a ‘Colonial 123’ password.”

Blount also testified about the roughly $ 5 million ransom that the company paid to the DarkSide hackers. He revealed that Colonial Pipeline paid the ransom the day after the attack.

“I decided that Colonial Pipeline would pay the ransom to give us every tool we need to get the pipeline up and running quickly,” said Blount in his opening address. “It was one of the toughest decisions I had to make in my life.”

“At the time, I kept this information very well because we were concerned about operational security and minimizing public exposure to the threat actor,” he said.

When asked if the company paid ransom under U.S. sanctions, Blount said the company checked the sanctions list maintained by the Office of Foreign Asset Control before paying.

The day before Blount’s testimony, US law enforcement officials announced they were able to get back $ 2.3 million worth of bitcoins from the hacking group.

Blount also told the senators that the company contacted the FBI within hours of discovering the attack.

This story will be updated during the Senate hearing.