SolarWinds charged after SEC says biz knew IT was leaky ahead of SUNBURST attack
Developer labels action 'unfounded' after company and CISO slapped with suit for misleading investors
SolarWinds and its chief infosec officer have been charged with fraud by America's financial watchdog, which alleges the software maker knew its security was in a poor state ahead of the SUNBURST supply chain attack.
In a Monday announcement the SEC alleged SolarWinds and CISO Timothy G. Brown “defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks.”
The civil complaint [PDF] alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement of the SUNBURST cyberattack, SolarWinds’s regulatory filings “allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”
The SEC announcement cites a 2018 corporate presentation that was shared internally, including with Brown, and which described SolarWinds’ remote access setup as “not very secure.”
Which is something of an understatement as the presentation went on to say an attacker who gained access to the remote access system “can basically do whatever without us detecting it until it’s too late.”
Brown himself is alleged to have delivered presentations in 2018 and 2019 that stated the “current state of security leaves us in a very vulnerable state for our critical assets” adding “[a]ccess and privilege to critical systems/data is inappropriate.”
- Warning on SolarWinds-like supply-chain attacks: 'They're just getting bigger'
- Have we learned anything from SolarWinds supply chain attacks?
- We're just shouting into the void, says US watchdog offering cybersecurity advice
- SolarWinds reaches $26m settlement with shareholders, expects SEC action
Those dark forecasts were horribly prescient, as in 2020 it was revealed that SolarWinds’ Orion network monitoring tool had been secretly backdoored in a supply chain attack. Among the 18,000 orgs that downloaded the poisoned package included Microsoft and the US Department of Energy's National Nuclear Security Administration.
SolarWinds later published the results of a probe into the incident and suggested fewer than 100 Orion customers were attacked.
But that’s a misleading metric, as all users were exposed to additional risk and incurred the cost and hassle of remediating Orion.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company’,” said Gurbir S. Grewal, director of the SEC’s Division of Enforcement. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” he added.
The SEC has therefore framed its suit as addressing two issues: misinformation to investors, and the need for listed entities to get their infosec house in order.
The suit won’t be a surprise to SolarWinds, which in November 2022 settled with shareholders and advised it had received SEC notices indicating future regulatory action.
Solarwinds sent The Register the following statement.
We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.
Mr Brown's counsel sent us the following statement.
Tim Brown performed his responsibilities at SolarWinds as Vice President of Information Security and later as Chief Information Security Officer with diligence, integrity, and distinction. Mr. Brown has worked tirelessly and responsibly to continuously improve the Company's cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC's complaint.