- Colonial Pipeline paid a $4.4 million ransom to a cybercrime group on May 8 amid a gas crisis.
- That same day, federal agencies worked to stop the criminals from stealing the company’s data.
- Congress plans to question Colonial in two weeks about the payment and communication with agencies.
- See more stories on Insider’s business page.
On the same day that Colonial Pipeline handed over $4.4 million in ransom to the criminal group DarkSide, federal cybersecurity agencies, alongside private specialists, were fervently working to defend the company, people familiar with the response told Insider.
It’s unclear who, if anyone, in the federal government knew about the payment at the time. Some crime fighters were shocked and dismayed to learn about it, sources close to the effort said. One top federal cybersecurity official said five days after the payment that he didn’t know whether a ransom had been paid.
That disconnect has become a key focus of the US government’s struggle against the rampant cybercrime of ransomware, sources said, and Congress plans to question the company about it all — and the national gas crisis the incident caused — on June 9.
High-profile cyberattacks have grabbed headlines and national attention over the past six months, but none hit the daily lives of Americans like the
that snarled gas lines earlier this month, when the hackers caused the shutdown of the 5,000-mile gas pipeline on the East Coast.
The company’s payment — and the hot seat awaiting its CEO before the House Committee on Homeland Security — forces the nation to confront a question of fundamental national integrity, experts believed: Does America negotiate with criminals?
“It does set a precedent. It was a very, very public incident,” Jonathan Welburn, a researcher at the RAND Corporation who studied the attack, said of Colonial’s payment to the criminals. “For society, it was the wrong decision.”
And making that decision quickly may come back to haunt the company when the time comes to testify — especially since experts said paying the ransom didn’t help the company much.
“Colonial’s hasty decision sets a dangerous precedent and puts an even bigger target on the back of critical infrastructure,” said Rep. Carolyn Maloney, a New York Democrat.
Colonial Pipeline would not comment on which public officials it told of the payment or when. It said in a statement that the company called the FBI as soon as it learned that it was facing an attack. The company added, “We and the FBI then began alerting other relevant federal agencies. We continue to cooperate and assist the federal government.”
The timeline of events raises questions for Colonial Pipeline
The events that caused the crisis began on May 6 when cybercriminals in the DarkSide ransomware group, believed to be in Russia, quietly siphoned off 90 gigabytes of company data from Colonial Pipeline, research from the company SecurityScorecard found. The private Georgia company with more than $3 billion in assets said it supplies 45% of the East Coast’s gas supply.
Criminals could have used this data to extort Colonial Pipeline by threatening to publish confidential information from the private company, which has been at the center of gas spills and other environmental issues, SecurityScorecard reported.
The next day, May 7, the company said it found a ransom note on a control-room computer, The Wall Street Journal reported.
On May 8, the FBI and National Security Council were on the case, working with companies FireEye and DigitalOcean. It was then that they discovered the server where the criminals had stashed the stolen data, sources confirmed to Insider, as originally reported by Bloomberg and The Washington Post.
The cybercrime fighters shut down the server, sources with knowledge of the operation said, and this should have been their victory. It was exactly the kind of cooperation between the government and the private sector that ransomware experts tout as an effective way to fight such attacks.
Yet, May 8 was the same day that Colonial Pipeline paid the criminals $4.4 million in cryptocurrency, cryptocurrency transaction records from the company Elliptic showed.
On May 13, Brandon Wales, the acting chief of the federal Cybersecurity and Infrastructure Security Agency, told reporters that he had “no knowledge of whether a ransom was paid, how much was paid, if it was paid, when it was paid.”
That same day, The Wall Street Journal published an interview with Joseph Blount, the CEO of Colonial Pipeline, in which he said he had already decided to pay on May 7, the day he learned of the attack, because it was “the right thing to do for the country.” The payment came the following day, per the transaction records.
Colonial Pipeline said in a statement after the attack: “A decision was quickly made to take our entire system offline. We needed to do everything in our power to restart the system quickly and safely. The decision was made to pay the ransom. This decision was not made lightly, however, one that had to be made.”
The FBI, Department of Energy, CISA, and National Security Council declined to disclose when they learned of the payment. Sources close to the agencies said federal officials were not involved in the payment to the criminals.
Experts say Colonial Pipeline’s $4.4 million ransom wasn’t even money well spent
“It is deeply disappointing that Colonial Pipeline still has not answered questions from Congress about its multimillion-dollar ransomware payments to cybercriminal groups in Eastern Europe, despite discussing these payments in the press,” Maloney said.
And many experts said it wasn’t even $4.4 million well spent.
Allan Liska, a ransomware expert who worked on a three-month project to develop government and industry cooperation, said both the “lack of coordination” and the ransom payment itself showed “a sense of panic among leadership at Colonial Pipeline and how a sense of panic during the initial incident response can lead to mistakes.”
Brett Callow, a cybersecurity researcher at the firm Emsisoft, which specializes in ransomware, said, “In hindsight, they seemingly got nothing for the payment.”
Specifically, the criminals gave Colonial a decryptor — a cybersecurity tool that unlocks ransomware so companies can regain control of their computer systems. But that tool was so slow that the company had to partially use backups to restore its systems, Bloomberg reported. Emsisoft tested DarkSide’s decryptor and found that it took more than twice as long to unlock data as a universal tool that’s used for cracking many types of ransomware.
Agencies urge companies not to pay ransom
CISA urged companies not to pay criminals, saying, “Paying a ransom may embolden adversaries.” It also said payment doesn’t guarantee that the victim’s data will be returned. Other agencies, including the FBI and National Security Council, also urged victims not to pay.
But federal officials were also sympathetic to the plight of ransomware victims. Officials said that ultimately to pay or not was the victims’ decision. “Colonial is a private company and we’ll defer information regarding their decision on paying a ransom to them,” Anne Neuberger, the deputy national security advisor, told reporters last week.
Meanwhile, federal authorities are looking to tighten up regulation in response to the Colonial Pipeline attack. On Tuesday, The Washington Post reported that the Transportation Safety Administration plans to require that pipeline companies report cyberattacks to federal authorities, with more TSA regulatory measures in the works.
Business News Governmental News Finance News
Need Your Help Today. Your $1 can change life.