SEC accuses SolarWinds of defrauding investors by lying about its security posture

SolarWinds and its chief information security officer (CISO) Timothy G. Brown have been accused of failing to secure its systems and protect its customers, as well as defrauding its investors, violating the antifraud provisions of the US Securities Act of 1933 and the Securities Exchange Act of 1934. However, SolarWinds plans to fight back.

For context, the SolarWinds breach occurred back in 2020 and made headlines worldwide for its sheer magnitude. The threat actors behind the attack, Nobelium, injected malicious code into the company’s Orion platform, a program that allows for the easy managing and monitoring of an IT workspace.

Known as SUNBURST malware, the code injected into Orion was a remote-access Trojan, which was rolled out to SolarWinds customers through an update, allowing the hackers to remotely control devices. About 18,000 customer organisations installed the updates unknowingly, with attack victims including US government agencies like the Department of Justice and Homeland Security.

Now, the SEC has said that it believes that SolarWinds should have been able to defend itself against the cyber incident, as it was aware that it had poor cyber security practices in place and then chose to ignore them.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security-minded company,’” said the director of the SEC’s division of enforcement, Gurbir Grewal.

Today we announced charges against SolarWinds Corporation and its chief information security officer for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.

— U.S. Securities and Exchange Commission (@SECGov) October 30, 2023

According to the SEC, a 2018 presentation prepared by a SolarWinds engineer that was shown to Brown highlighted gaps in the company’s remote-access set-up, demonstrating that it wasn’t secure and that a threat actor who exploited the vulnerability could “basically do whatever without us detecting it until it’s too late”.

VIEW ALL

The SEC also alleged that presentations by Brown himself in 2018 and 2019 said that the company’s state of security was very vulnerable. It also cites an internal document from 2020 that was shared with Brown and others that stated that “the volume of security issues being identified over the last month have [sic] outstripped the capacity of engineering teams to resolve”.

An additional example of the company’s poor cyber security practices made the rounds online when the password for an account that had access to SolarWinds’ update server was found to have been set by an intern to “solarwinds123”. According to password security company Specops, the password was stored on a “private GitHub repository between June 2018 to November 2019”.

Additionally, the company has also been accused of falsely advertising that it had a secure operating environment and a handle on its cyber security.

“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” added Grewal.

The SEC has said that this qualifies as defrauding investors as it deprived “investors of accurate material information”.

It also added that the charges will send a message to other businesses, highlighting the importance of informing investors of poor cyber security stature.

SolarWinds has responded to the accusations, saying that it informed the public from the very beginning.

“How we responded to SUNBURST is exactly what the US government seeks to encourage. So, it is alarming that the Securities and Exchange Commission (SEC) has now filed what we believe is a misguided and improper enforcement action against us,” said SolarWinds chief executive Sudhakar Ramakrishna.

Ramakrishna faced the unfortunate task of inheriting the fallout of the attack, having joined the company just after it occurred.

“When I joined SolarWinds just days after the company learned of SUNBURST, my immediate focus was supporting our customers as we quickly contained, remediated, and eradicated the issue – while helping our customers ensure their environments were secure,” he said.

“We shared information about the incident as it was confirmed.

“The transparency of our response and our ongoing commitment to public-private partnerships has been widely praised in the global IT and security communities.”

He adds that the SEC’s charges of deterring the sharing of information regarding cyber attacks, and that it could encourage cyber experts to back away from the “front lines”.

“The actions we have taken over the last two and half years motivate us to stay the course and to push back against any efforts that will make our customers and our industry less secure,” added Ramakrishna.

SolarWinds intends on fighting the charges.

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.