“Wait, I thought Colonial Pipeline didn’t pay the ransom,” you’re thinking. I thought so too.
It seems we’ve been lied to.
What I want to know now is what role the feds had in facilitating the ransom payment. Did they oppose it, only to have Colonial insist on going ahead with it? Or did Team Biden encourage them to pay the danegeld knowing how that would incentivize other ransomware attacks?
Someone’s in favor of bribing cyberterrorists. Maybe it’s Colonial’s management, maybe it’s the White House, maybe both. Let’s find out who.
Joe Biden smirks and says "no comment" on if Colonial paid hackers ransom for the pipeline attack, and if he was briefed.pic.twitter.com/iLAxBuMv6d
— Tommy Pigott (@TommyPigott) May 13, 2021
Last night CNN published an elaborate tale alleging that Colonial had managed to thwart the DarkSide hackers without paying them off by somehow restoring their stolen data from backups, “by leveraging the attackers’ use of intermediary servers within the United States to store the stolen information.” Where did that account come from? Because according to Bloomberg, what really happened was quite different:
Colonial Pipeline Co. paid nearly $5 million to Eastern European hackers on Friday, contradicting reports earlier this week that the company had no intention of paying an extortion fee to help restore the country’s largest fuel pipeline, according to two people familiar with the transaction. The company paid the hefty ransom in difficult-to-trace cryptocurrency within hours after the attack, underscoring the immense pressure faced by the Georgia-based operator to get gasoline and jet fuel flowing again to major cities along the Eastern Seaboard, those people said. A third person familiar with the situation said U.S. government officials are aware that Colonial made the payment.
Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said…
“They had to pay,” said Ondrej Krehel, chief executive officer and founder of digital forensics firm LIFARS and a former cyber expert at Loews Corp., which owns Boardwalk Pipeline. “This is a cyber cancer. You want to die or you want to live? It’s not a situation where you can wait.”
Note the timeline, “within hours after the attack.” That helps explain this curious White House response on Monday to a question about whether the company should pay the ransom or not:
Biden White House: It’s a “private sector decision” as to whether a ransom will be paid to bring the Colonial Pipeline back online pic.twitter.com/6p59SDYgdS
— Tom Elliott (@tomselliott) May 10, 2021
Normally you’d expect the government to be in muscle-flexing mode at a moment like that and boast that they don’t negotiate with terrorists. Instead they punted the matter to Colonial, meekly insisting that this was a “private sector matter” even though the company’s pipeline supplies nearly half of the east coast’s oil. A major blow to America’s energy infrastructure is an act of war, not a “private sector matter.”
But maybe Colonial had already paid up at that point and Team Biden was stuck messaging that reality. Or maybe Biden’s staff encouraged Colonial to pay, believing that a protracted energy crisis at a moment when inflation is rising and job growth is more sluggish than expected would be a bad political narrative for the White House out of the gate.
I mean, it’s not like Joe Biden is above throwing money at terrorists to buy their goodwill:
In the weeks immediately after the Sept. 11 attacks, Biden — known for a lack of verbal discipline — suggested to aides, in comments captured by The New Republic, that maybe America should make a grand gesture of sorts to a region often suspicious of its motives. “Seems to me this would be a good time to send, no strings attached, a check for $200 million to Iran,” Biden is quoted as saying. (The offhand suggestion did not go over well with his staffers, one of whom responded: “I think they’d send it back.”)
Was it a good time to send $5 million to the DarkSide hackers too? “What’s amazing about the Colonial Pipleline story is that it was a gas shortage, terrorist attack, and kind of hostage crisis all at once — a Jimmy Carter trifecta,” tweeted Mark Hemingway.
Another odd detail from today’s presser was Biden going out of his way to say that the FBI doesn’t believe the Russian government was involved in the ransom attack — although the attackers are based in Russia and therefore within Putin’s grasp:
Biden says the White House doesn't believe the Russian government was involved in the Colonial Pipeline attack, but the attackers are based in Russia pic.twitter.com/YGhYCD9Dlq
— Aaron Rupar (@atrupar) May 13, 2021
Tom Rogan wonders why Biden allowed Colonial to pay when he could have just phoned Putin and made threats:
The Colonial Pipeline ransomware attack, which significantly disrupted energy supplies to the East Coast and led to panicked hoarding, was conducted by hackers with links to Putin’s intelligence apparatus. As I explained earlier this week, Putin knows that the U.S. knows this. That understanding might explain why DarkSide released a statement earlier this week saying that it only wanted money and had no intention of causing public disruption.
Put simply, the Russians might have, and certainly should have, feared U.S. retaliation against their own energy infrastructure. That’s what Biden should have put on the table. He should have called Putin and said, “Tell Sergei Korolyov to tell his boys to unlock Colonial Pipeline. Do it now. Or get ready for a blackout in Moscow and St. Petersburg.”
A curious detail in all of this is that the hackers apologized a few days ago for the gas disruptions on the east coast, apparently after they’d been paid. That’s a strange thing to do given that it was the temporary energy crisis created by the hack that put pressure on Colonial to pay them in the first place. I can’t make heads or tails of that. Maybe Putin’s agents, whether or not at the behest of the U.S., told the hackers that they’d gone too far in threatening America’s oil supply and had to show remorse in order to avert U.S. retaliation against Russia.
But in that case, where’s the $5 million Colonial paid? Are they going to get that money back?
Whatever the truth, it looks like Colonial ended up with the worst possible outcome. It’s one thing to refuse to pay and accept the consequences; it’s another thing to pay *quietly* and then lie about why your operations managed to resume so quickly. But to pay and then have that fact leak is a neon sign inviting other ransomware hackers to shake you down. No wonder Biden is scrambling to improve America’s cyberdefenses.