The U.S. Securities and Exchange Commission (SEC) today charged SolarWinds with defrauding investors by allegedly concealing cybersecurity defense issues before a December 2020 linked to APT29, the Russian Foreign Intelligence Service (SVR) hacking division.
The SEC claims SolarWinds failed to notify investors about cybersecurity risks and poor practices that its Chief Information Security Officer, Timothy G. Brown (also facing legal action from regulatory authorities), knew about. Instead, the company reportedly disclosed only broad and theoretical risks to its investors.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,'” said Gurbir S. Grewal, the head of SEC’s Division of Enforcement.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
The regulator claims that Brown was already aware that attackers that would hack SolarWinds’ systems remotely would be very hard to detect since at least 2018, according to presentations saying that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”
Brown also expressed concerns in June 2020 that attackers could use SolarWinds’ Orion software (which was trojanized by the Russian hackers to breach customers’ systems months later) as a tool in future attacks because the company’s backend systems were not “resilient.”
Two months before the attack, the SEC says that a SolarWinds internal document revealed that the engineering teams were no longer able to keep up with a long list of new security issues that they had to address.
“It is alarming that the Securities and Exchange Commission (SEC) has now filed what we believe is a misguided and improper enforcement action against us, representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages,” said President and Chief Executive Officer Sudhakar Ramakrishna in response to SEC’s charges.
“We made a deliberate choice to speak—candidly and frequently—with the goal of sharing what we learned to help others become more secure. We partnered closely with the government and encouraged other companies to be more open about security by sharing information and best practices.
“The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security.”
Earlier this year, the SEC sent Wells notices related to its inquiry into the 2020 breach to the company and SolarWinds executives, including the CFO and CISO. These notices informed the recipients that SEC staff is advocating for a civil enforcement action against them, alleging violations of U.S. federal securities laws.
The Russian APT29 threat group breached SolarWinds’ internal systems and trojanized the SolarWinds Orion IT administration platform and subsequent builds released between March 2020 and June 2020.
The malicious builds were used to drop the Sunburst backdoor onto the systems of “fewer than 18,000” victims. However, the attackers handpicked a substantially lower number of targets for second-stage exploitation.
SolarWinds says it has more than 300,000 customers worldwide and 96% of Fortune 500 companies, including all top ten U.S. telecom companies, Apple, Google, Amazon, and a long list of govt agencies (such as the U.S. Military, the U.S. Pentagon, the State Department, NASA, NSA, Postal Service, NOAA, the U.S. Department of Justice, and the Office of the President of the United States).
Multiple U.S. govt agencies later confirmed that they were breached, including the Department of State, the Department of Homeland Security (DHS), the Department of the Treasury, the Department of Energy (DOE), the National Telecommunications and Information Administration (NTIA), the National Institutes of Health (NIH) (part of the U.S. Department of Health), and the National Nuclear Security Administration (NNSA).
Update October 30, 18:14 EDT: A SolarWinds spokesperson sent the following statement after the article was published:
We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.