The US Securities and Exchange Commission sued SolarWinds Corp. and Chief Information Security Officer Timothy Brown yesterday, alleging that they concealed security failures that led to a nearly two-yearlong cyberattack known as “Sunburst.” The attack, reportedly carried out by Russian hackers, inserted malicious code into SolarWinds network-management software used by thousands of customers, including US government agencies and private companies.
From the time of its initial public offering in October 2018 until January 2021, SolarWinds and Brown “defrauded SolarWinds’ investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened—and increasing—cybersecurity risks,” the SEC lawsuit said. “SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattack.”
The SEC sued the company and Brown in US District Court for the Southern District of New York. The SEC is seeking disgorgement of “ill-gotten gains,” civil monetary penalties, and a permanent ban on Brown from acting as an officer or director for any company that issues securities.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well-known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security-minded company,'” SEC Division of Enforcement Director Gurbir Grewal said in a press release. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
Firm delivered compromised software to 18,000 customers
The SEC alleged that “SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations.” Brown was SolarWinds’ VP of Security and Architecture and head of its Information Security group between July 2017 and December 2020, and has been the Texas-based company’s CISO since January 2021.
SolarWinds acknowledged in a December 2020 filing with the SEC that it was made aware of a cyberattack that inserted a vulnerability into its Orion monitoring software, a line of products that accounted for 45 percent of the company’s revenue. The attack was ongoing in January 2019 when “threat actors accessed SolarWinds’ systems through the VPN using an unmanaged device,” giving them “broad, undetected access to SolarWinds’ systems,” the SEC lawsuit said. It isn’t known whether the attackers had access before January 2019.
“Using their access, the threat actors inserted malicious code into three software builds for SolarWinds’ Orion products,” the SEC lawsuit said. “SolarWinds then delivered these compromised products to more than 18,000 customers across the globe. The malicious code provided the threat actors with the ability to access the systems of these compromised customers, provided certain other conditions were met, and became known as the Sunburst attack.”
The SEC press release summarizing the lawsuit said that SolarWinds’ SEC filings “misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”