SEC v. SolarWinds

SEC sues SolarWinds and CISO, says they ignored flaws that led to major hack

SolarWinds misled public about security while hackers accessed network, SEC says.

Jon Brodkin – Oct 31, 2023 3:43 pm | 39

Credit: Getty Images | Sean Gladwell

The US Securities and Exchange Commission sued SolarWinds Corp. and Chief Information Security Officer Timothy Brown yesterday, alleging that they concealed security failures that led to a nearly two-yearlong cyberattack known as “Sunburst.” The attack, reportedly carried out by Russian hackers, inserted malicious code into SolarWinds network-management software used by thousands of customers, including US government agencies and private companies.

From the time of its initial public offering in October 2018 until January 2021, SolarWinds and Brown “defrauded SolarWinds’ investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened—and increasing—cybersecurity risks,” the SEC lawsuit said. “SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattack.”

The SEC sued the company and Brown in US District Court for the Southern District of New York. The SEC is seeking disgorgement of “ill-gotten gains,” civil monetary penalties, and a permanent ban on Brown from acting as an officer or director for any company that issues securities.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well-known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security-minded company,’” SEC Division of Enforcement Director Gurbir Grewal said in a press release. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”

Firm delivered compromised software to 18,000 customers

The SEC alleged that “SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations.” Brown was SolarWinds’ VP of Security and Architecture and head of its Information Security group between July 2017 and December 2020, and has been the Texas-based company’s CISO since January 2021.

SolarWinds acknowledged in a December 2020 filing with the SEC that it was made aware of a cyberattack that inserted a vulnerability into its Orion monitoring software, a line of products that accounted for 45 percent of the company’s revenue. The attack was ongoing in January 2019 when “threat actors accessed SolarWinds’ systems through the VPN using an unmanaged device,” giving them “broad, undetected access to SolarWinds’ systems,” the SEC lawsuit said. It isn’t known whether the attackers had access before January 2019.

“Using their access, the threat actors inserted malicious code into three software builds for SolarWinds’ Orion products,” the SEC lawsuit said. “SolarWinds then delivered these compromised products to more than 18,000 customers across the globe. The malicious code provided the threat actors with the ability to access the systems of these compromised customers, provided certain other conditions were met, and became known as the Sunburst attack.”

The SEC press release summarizing the lawsuit said that SolarWinds’ SEC filings “misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”

Attackers can “do whatever without us detecting it”

The company’s public statements were allegedly contradicted by Brown’s internal presentations. “Illustratively, in October 2018, the same month that SolarWinds conducted its Initial Public Offering through a registration statement with only generic and hypothetical cybersecurity risk disclosures, Brown wrote in an internal presentation that SolarWinds’ ‘current state of security leaves us in a very vulnerable state for our critical assets,’” the lawsuit said.

An August 2019 quarterly review also prepared by Brown similarly acknowledged that “[a]ccess and privilege to critical systems/data is inappropriate,” according to the SEC.

A June 2018 presentation by a SolarWinds network engineer “identified a ‘security gap’ relating to SolarWinds’ remote access virtual private network, which allowed access from devices not managed by SolarWinds,” the SEC alleged. The engineer “warned that this setup was ‘not very secure’ and later explained that someone exploiting the vulnerability ‘can basically do whatever without us detecting it until it’s too late,’ which could lead to a ‘major reputation and financial loss’ for SolarWinds,” the lawsuit said.

Even the December 2020 disclosure was misleading, the SEC said. “The Form 8-K was drafted by a group of executives, including Brown, and signed by SolarWinds’ CEO,” the lawsuit said. “That Form 8-K was materially misleading in several respects, including its failure to disclose that the vulnerability at issue had been actively exploited against SolarWinds’ customers multiple times over at least a six-month period in the incidents involving” a US government agency and two cybersecurity firms.

SolarWinds responded to the lawsuit in a statement provided to Ars. “We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk,” the company said. “The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”

Brown’s lawyer, Alec Koch, provided Ars with a statement on his client’s behalf. “Mr. Brown has worked tirelessly and responsibly to continuously improve the company’s cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint,” the statement said.

Listing image: Getty Images | Sean Gladwell

Jon Brodkin Senior IT Reporter

Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry.

39 Comments