The U.S. Security Exchange Commission (SEC) has charged SolarWinds and its Chief Information Security Officer (CISO), Timothy G. Brown, over alleged fraud and internal control failures related to known cybersecurity risks.
On November 1, 2023, the SEC disclosed that Russian threat actors exploited SolarWinds Software during the MOVEit 2020 cyberattack, gaining access to over 600,000 email addresses from the U.S. Department of Justice and The Pentagon.
The SEC’s investigation revealed that the hack on the organization, began in September 2021 due to the company’s failure to disclose their exposure to the “SolarWinds Attack”.
From the time of the Initial Public Offer (IPO) in October 2018 to the public notification of being targeted by SUNBURST hackers in December 2020, Brown and SolarWinds are accused of misleading their investors by overstating their cyber and information security practices and concealing known threats.
SEC ACCUSED BROWN AND SOLARWINDS OF INCOMPLETE DISCLOSURE:
SEC argued that Brown and SolarWinds only disclosed general risks affecting the organization, while ignoring specific security weaknesses in their cybersecurity measures. Internal communications between the organization’s employees and Brown in 2019 and 2020 raised questions about the organization’s ability to protect its critical infrastructure and assets, including its flagship Orion software, from a cyber-breach.
According to SEC filings, Brown was aware of these security risks but failed to implement security measures or escalate them within the organization. The SEC also accuses SolarWinds of incomplete disclosure about the SUNBURST attack in their “Form 8-K” filing in December 2020.
This negligence resulted in a drop in the company’s stock price. Gurbir S. Grewal, Director of SEC’s Division of Enforcement, criticized SolarWinds and Brown for ignoring red flags about their cyber risks for years and misrepresenting the company’s cyber controls environment.
In response, SolarWinds denied these allegations, warning that such accusations could jeopardize national security. They also accused the SEC of overstepping its bounds. SolarWinds has committed to contesting these accusations in court and continues to honor its ‘Secure by Design’ goal to ensure customer safety.
The SolarWinds attack traces back to late 2020 when threat actors inserted malicious code into the organization’s Orion platform, creating a backdoor. This further enabled the threat actors to infiltrate U.S. federal agencies and thousands of private companies’ systems. Reports from Russia’s SVR and foreign intelligence services attributes the SolarWind Hack to APT29 (a.k.a Cozy Bear).
Please do let us know in the comment section what are your thoughts about this.