This article is more than 1 year old

SolarWinds’ shares drop 22 per cent. But what’s this? $286m in stock sales just before hack announced?

VC firms say they weren't aware Orion code had been backdoored

Two Silicon Valley VC firms, Silver Lake and Thoma Bravo, sold hundreds of millions of dollars in SolarWinds shares just days before the software biz emerged at the center of a massive hacking campaign.

Silver Lake and Thoma Bravo deny anything untoward.

The two firms owned 70 per cent of SolarWinds, which produces networking monitoring software that was backdoored by what is thought to be state-sponsored Russian spies. This tainted code was installed by thousands of SolarWinds customers including key departments of the US government that were subsequently hacked via the hidden remote access hole.

News of the role SolarWinds' hijacked Orion software played in the hacking spree emerged at the weekend, and on Monday the developer's share price plummeted more than 20 per cent. It is currently down 22 per cent.


SolarWinds: Hey, only as many as 18,000 customers installed backdoored software linked to US govt hacks


However, around a week before, Silver Lake sold $158m of SolarWinds' shares and Thoma Bravo sold $128m, according to the Washington Post. The two outfits have six seats on SolarWinds' board, meaning they will have access to confidential internal information before it is made public. It’s not clear when SolarWinds became aware that its Orion build system had been compromised to include the aforementioned backdoor.

Infosec giant FireEye announced on Tuesday, December 8 that its systems had been hacked and its penetration tools exfiltrated. On Friday, December 11, as part of an investigation into that intrusion, FireEye started letting it be known that SolarWinds' updates had been tampered with. It's not clear how closely linked the network compromises at FireEye and SolarWinds are. However, the Orion maker almost certainly knew about the tampering some time before making its public statements confirming the malicious alterations, and it has been established that the hackers had manipulated the software roughly nine months earlier in the spring to include the backdoor.

We asked FireEye when precisely it told SolarWinds its Orion updates had been trojanized, and a representative told us: “I’m not able to address the timeline of events.”


There is a plausible explanation for all this: the VCs shed their stock-holdings on the same day SolarWinds' long-standing CEO resigned.

The software house announced in August that Kevin Thompson would leave the company though it didn’t give a date. Thompson reportedly quit on Monday, December 7 – news that was not made public – and a new CEO was formally announced two days later, on December 9, the day after FireEye went public on December 8 with details of the intrusion into its own systems.

In a joint statement supplied to the Washington Post, Silver Lake and Thoma Bravo said the stock sales were a “private placement” with an institutional investor, and that they “were not aware of this potential cyberattack at SolarWinds” before they agreed to the deal.


There is almost certain to be an outside, independent probe into what happened, what went wrong, and what can be done to prevent future hacks of this nature. In fact, a group of bipartisan US senators have already written [PDF] to the FBI and Uncle Sam's cybersecurity agency CISA over the “alarming” hack via SolarWinds’ software, and have asked for more information.

If America's securities watchdog, the SEC, launches an investigation in the massive share sales that occurred just days before this became public, we are likely to find out sooner or later what the true timeline was around the network intrusions. For now, however, everyone is remaining tight-lipped. Spokespeople for Silver Lake, Thoma Bravo, and SolarWinds were not available for immediate comment. ®

More about


Send us news

Other stories you might like