SEC sues SolarWinds for misleading investors before 2020 hack

Trending 1 month ago


The U.S. Securities and Exchange Commission (SEC) coming charged SolarWinds pinch defrauding investors by allegedly concealing cybersecurity defense issues earlier a December 2020 linked to APT29, nan Russian Foreign Intelligence Service (SVR) hacking division.

This threat group orchestrated nan SolarWinds supply-chain attack, which led to nan breach of aggregate U.S. national agencies 3 years ago.

The SEC claims SolarWinds grounded to notify investors astir cybersecurity risks and mediocre practices that its Chief Information Security Officer, Timothy G. Brown (also facing ineligible action from regulatory authorities), knew about. Instead, nan institution reportedly disclosed only wide and theoretical risks to its investors.

"We allege that, for years, SolarWinds and Brown ignored repeated reddish flags astir SolarWinds' cyber risks, which were good known passim nan institution and led 1 of Brown's subordinates to conclude: 'We're truthful acold from being a information minded company,'" said Gurbir S. Grewal, nan caput of SEC's Division of Enforcement.

"Rather than reside these vulnerabilities, SolarWinds and Brown engaged successful a run to overgarment a mendacious image of nan company's cyber controls environment, thereby depriving investors of meticulous worldly information."

The regulator claims that Brown was already alert that attackers that would hack SolarWinds' systems remotely would beryllium very difficult to observe since astatine slightest 2018, according to presentations saying that nan "current authorities of information leaves america successful a very susceptible authorities for our captious assets" and that "[a]ccess and privilege to captious systems/data is inappropriate."

Brown besides expressed concerns successful June 2020 that attackers could usage SolarWinds' Orion package (which was trojanized by nan Russian hackers to breach customers' systems months later) arsenic a instrumentality successful early attacks because nan company's backend systems were not "resilient."

Two months earlier nan attack, nan SEC says that a SolarWinds soul archive revealed that nan engineering teams were nary longer capable to support up pinch a agelong database of caller information issues that they had to address.

"It is alarming that nan Securities and Exchange Commission (SEC) has now revenge what we judge is simply a misguided and improper enforcement action against us, representing a regressive group of views and actions inconsistent pinch nan advancement nan manufacture needs to make and nan authorities encourages," said President and Chief Executive Officer Sudhakar Ramakrishna successful consequence to SEC's charges.

"We made a deliberate prime to speak—candidly and frequently—with nan extremity of sharing what we learned to thief others go much secure. We collaborated intimately pinch nan authorities and encouraged different companies to beryllium much unfastened astir information by sharing accusation and champion practices.

"The SEC's charges now consequence nan unfastened information-sharing crossed nan manufacture that cybersecurity experts work together is needed for our corporate security."

The Russian APT29 threat group breached SolarWinds' soul systems and trojanized nan SolarWinds Orion IT management level and consequent builds released betwixt March 2020 and June 2020.

The malicious builds were utilized to driblet nan Sunburst backdoor onto nan systems of "fewer than 18,000" victims. However, nan attackers handpicked a substantially little number of targets for second-stage exploitation.

SolarWinds says it has much than 300,000 customers worldwide and 96% of Fortune 500 companies, including each apical 10 U.S. telecom companies, Apple, Google, Amazon, and a agelong database of govt agencies (such arsenic nan U.S. Military, nan U.S. Pentagon, nan State Department, NASA, NSA, Postal Service, NOAA, nan U.S. Department of Justice, and nan Office of nan President of nan United States).

Multiple U.S. govt agencies later confirmed that they were breached, including nan Department of State, nan Department of Homeland Security (DHS), nan Department of nan Treasury, nan Department of Energy (DOE), nan National Telecommunications and Information Administration (NTIA), nan National Institutes of Health (NIH) (part of nan U.S. Department of Health), and nan National Nuclear Security Administration (NNSA).