The U.S. Securities and Exchange Commission (SEC) today charged SolarWinds with defrauding investors by allegedly concealing cybersecurity defense issues before a December 2020 linked to APT29, the Russian Foreign Intelligence Service (SVR) hacking division.
This threat group orchestrated the SolarWinds supply-chain attack, which led to the breach of multiple U.S. federal agencies three years ago.
The SEC claims SolarWinds failed to notify investors about cybersecurity risks and poor practices that its Chief Information Security Officer, Timothy G. Brown (also facing legal action from regulatory authorities), knew about. Instead, the company reportedly disclosed only broad and theoretical risks to its investors.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,'” said Gurbir S. Grewal, the head of SEC’s Division of Enforcement.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
The regulator claims that Brown was already aware that attackers that would hack SolarWinds’ systems remotely would be very hard to detect since at least 2018, according to presentations saying that the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”
Brown also expressed concerns in June 2020 that attackers could use SolarWinds’ Orion software (which was trojanized by the Russian hackers to breach customers’ systems months later) as a tool in future attacks because the company’s backend systems were not “resilient.”
Two months before the attack, the SEC says that a SolarWinds internal document revealed that the engineering teams were no longer able to keep up with a long list of new security issues that they had to address.
“It is alarming that the Securities and Exchange Commission (SEC) has now filed what we believe is a misguided and improper enforcement action against us, representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages,” said President and Chief Executive Officer Sudhakar Ramakrishna in response to SEC’s charges.
“We made a deliberate choice to speak—candidly and frequently—with the goal of sharing what we learned to help others become more secure. We partnered closely with the government and encouraged other companies to be more open about security by sharing information and best practices.
“The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security.”
The Russian APT29 threat group breached SolarWinds’ internal systems and trojanized the SolarWinds Orion IT administration platform and subsequent builds released between March 2020 and June 2020.
The malicious builds were used to drop the Sunburst backdoor onto the systems of “fewer than 18,000” victims. However, the attackers handpicked a substantially lower number of targets for second-stage exploitation.
SolarWinds says it has more than 300,000 customers worldwide and 96% of Fortune 500 companies, including all top ten U.S. telecom companies, Apple, Google, Amazon, and a long list of govt agencies (such as the U.S. Military, the U.S. Pentagon, the State Department, NASA, NSA, Postal Service, NOAA, the U.S. Department of Justice, and the Office of the President of the United States).
Multiple U.S. govt agencies later confirmed that they were breached, including the Department of State, the Department of Homeland Security (DHS), the Department of the Treasury, the Department of Energy (DOE), the National Telecommunications and Information Administration (NTIA), the National Institutes of Health (NIH) (part of the U.S. Department of Health), and the National Nuclear Security Administration (NNSA).