SolarWinds’ shares drop 22 per cent. But what’s this? $286m in stock sales just before hack announced?

VC firms say they weren't aware Orion code had been backdoored

Two Silicon Valley VC firms, Silver Lake and Thoma Bravo, sold hundreds of millions of dollars in SolarWinds shares just days before the software biz emerged at the center of a massive hacking campaign.

Silver Lake and Thoma Bravo deny anything untoward.

The two firms owned 70 per cent of SolarWinds, which produces networking monitoring software that was backdoored by what is thought to be state-sponsored Russian spies. This tainted code was installed by thousands of SolarWinds customers including key departments of the US government that were subsequently hacked via the hidden remote access hole.

News of the role SolarWinds' hijacked Orion software played in the hacking spree emerged at the weekend, and on Monday the developer's share price plummeted more than 20 per cent. It is currently down 22 per cent.


SolarWinds: Hey, only as many as 18,000 customers installed backdoored software linked to US govt hacks


However, around a week before, Silver Lake sold $158m of SolarWinds' shares and Thoma Bravo sold $128m, according to the Washington Post. The two outfits have six seats on SolarWinds' board, meaning they will have access to confidential internal information before it is made public. It’s not clear when SolarWinds became aware that its Orion build system had been compromised to include the aforementioned backdoor.

Infosec giant FireEye announced on Tuesday, December 8 that its systems had been hacked and its penetration tools exfiltrated. On Friday, December 11, as part of an investigation into that intrusion, FireEye started letting it be known that SolarWinds' updates had been tampered with. It's not clear how closely linked the network compromises at FireEye and SolarWinds are. However, the Orion maker almost certainly knew about the tampering some time before making its public statements confirming the malicious alterations, and it has been established that the hackers had manipulated the software roughly nine months earlier in the spring to include the backdoor.

We asked FireEye when precisely it told SolarWinds its Orion updates had been trojanized, and a representative told us: “I’m not able to address the timeline of events.”


There is a plausible explanation for all this: the VCs shed their stock-holdings on the same day SolarWinds' long-standing CEO resigned.

The software house announced in August that Kevin Thompson would leave the company though it didn’t give a date. Thompson reportedly quit on Monday, December 7 – news that was not made public – and a new CEO was formally announced two days later, on December 9, the day after FireEye went public on December 8 with details of the intrusion into its own systems.

In a joint statement supplied to the Washington Post, Silver Lake and Thoma Bravo said the stock sales were a “private placement” with an institutional investor, and that they “were not aware of this potential cyberattack at SolarWinds” before they agreed to the deal.


There is almost certain to be an outside, independent probe into what happened, what went wrong, and what can be done to prevent future hacks of this nature. In fact, a group of bipartisan US senators have already written [PDF] to the FBI and Uncle Sam's cybersecurity agency CISA over the “alarming” hack via SolarWinds’ software, and have asked for more information.

If America's securities watchdog, the SEC, launches an investigation in the massive share sales that occurred just days before this became public, we are likely to find out sooner or later what the true timeline was around the network intrusions. For now, however, everyone is remaining tight-lipped. Spokespeople for Silver Lake, Thoma Bravo, and SolarWinds were not available for immediate comment. ®

Similar topics

Other stories you might like

  • IPSE: More than a third of freelancers have quit contracting since IR35 reforms

    Exodus, movement of the people... to the Middle East or elsewhere

    More than a third (35 per cent) of contractors in the UK have become permanent employees, retired, shifted to work overseas or are "simply not working" since IR35 tax legislation was revised earlier this year.

    This is according to the Association of Independent Professionals (IPSE) which found 35 per cent fewer freelancers among those it surveyed since 6 April when the government pushed through the delayed reform.

    "This research shows the devastating impact the changes to IR35 have had on contractors, needlessly compounding the financial damage of the pandemic," said Andy Chamberlain, director of policy at IPSE. "Now, just when contractors are needed the most - amid mounting labour shortages across the UK and particularly in haulage - government decisions have drive out a third of the sector."

    Continue reading
  • New Relic guzzles down CodeStream to help devs jump straight from app error telemetry to offending code

    'I can debug production from the IDE,' said CS boss Peter Pezaris

    Observability company New Relic has acquired CodeStream, specialists in developer collaboration, with the aim being to connect observability data with code in the development environment.

    CodeStream, founded in 2017 by Peter Pezaris, adds instant developer communication to coding environments. For example, a developer puzzling over some code written by a colleague can click next to that code, type a message to the other dev, and they will receive it either in the IDE if they happen to be working on the same project, or in a messaging tool such as Slack, complete with a reference to the code in question. They reply, and a discussion begins.

    Although it may seem a small thing, given that they could just use Slack (or any number of other messaging services) directly, the context and convenience makes it a worthwhile collaboration tool. CodeStream also integrates with pull requests from GitHub, GitLab, BitBucket, and issue management from Jira, Trello and others.

    Continue reading
  • Analogue tones of a ZX Spectrum Load set to ride again via podcast project

    Remember the R Tape Loading Error?

    The glory days of audio-cassette loading are set to return in the coming weeks, with retro fans to be treated to a broadcast for them to hit Play and Record to.

    Audio cassettes were the medium of choice for software back when Sinclair and Commodore's 8-bit hardware ruled the roost. The floppy disk seemed impossibly glamorous for the average home computer user and code was instead delivered via audio.

    While the sound of those files was unintelligible for most, for some enthusiasts it was possible to discern the type of data being loaded. Right up until the all-too-common R Tape Loading Error (which usually seemed to come right at the end of a lengthy period staring at a loading screen).

    Continue reading

Biting the hand that feeds IT © 1998–2021