US regulators sue SolarWinds and its chief information security officer after the high profile cyberattack by Russian hackers
SolarWinds Corp and a senior executive are being sued by US regulators, after its software was breached in a massive 2020 Russian cyberespionage campaign.
The US Securities and Exchange Commission (SEC) has announced “charges against Austin, Texas-based software company SolarWinds Corporation and its chief information security officer, Timothy G. Brown, for fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.”
It comes after Russian hackers used software from SolarWinds to breach 632,000 Department of Justice and Pentagon email addresses as part of the MOVEit cyberattack.
In September 2021 the Securities and Exchange Commission had begun a large-scale probe into the effects of the SolarWinds hack.
The SEC probe was prompted by the reluctance of some publicly traded companies to explain their SolarWinds exposure.
Now two years later the SEC complaint alleges that, from its IPO in October 2018, through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed “SUNBURST,” SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.
In its filings, the SEC said “SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”
In addition, the SEC’s complaint alleges that multiple communications among SolarWinds employees, including Brown, throughout 2019 and 2020 questioned the company’s ability to protect its critical assets from cyberattacks.
For example, according to the SEC’s complaint, in June 2020, while investigating a cyberattack on a SolarWinds customer, Brown wrote that it was “very concerning” that the attacker may have been looking to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient;” and a September 2020 internal document shared with Brown and others stated, “the volume of security issues being identified over the last month have [sic] outstripped the capacity of Engineering teams to resolve.”
The SEC’s complaint alleges that Brown was aware of SolarWinds’ cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company.
As a result of these lapses, the company allegedly also could not provide reasonable assurances that its most valuable assets, including its flagship Orion product, were adequately protected.
The SEC also alleged that SolarWinds made an incomplete disclosure about the SUNBURST attack in a 14 December 2020, Form 8-K filing, following which its stock price dropped approximately 25 percent over the next two days and approximately 35 percent by the end of the month.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir S. Grewal, Director of the SEC’s Division of Enforcement.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” said Grewal.
“Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
The SEC’s complaint was filed in the Southern District of New York.
Matter of time?
The SEC lawsuit against Solarwinds prompted a warning from Fergal Lyons, cybersecurity evangelist at threat intelligence specialist Centripetal about the fundamental problem of storing data online.
“It’s becoming increasingly apparent that no matter where our data is stored online, it’s just a matter of time before it’s exposed,” said Lyons. “The MoveIT vulnerability has become a notorious gift for hackers, allowing them to exfiltrate vast amounts of personal data from multiple sources.”
“While it’s crucial to continue securing code, fortifying systems, and patching vulnerabilities, the inherent complexity of our IT systems makes them increasingly susceptible to attacks,” said Lyons.
“In addition to addressing exploits and vulnerabilities, we must also focus on understanding the origins of these attacks,” Lyons concluded. “Leveraging all available threat intelligence is vital for preemptively defending against these threats, as they continually target our clearly vulnerable networks.”
The SolarWinds issue emerged in late 2020, when the hackers inserted backdoor code into SolarWinds’ Orion platform in March 2020 (or possibly earlier according to one US senator).
The hackers then used this exploit to access the systems of at least half-a-dozen US federal agencies, as well as potentially thousands of private firms before the attack was discovered in December 2020.
In March 2021 it was revealed that the SolarWinds hackers had even obtained access to the then-head of the US’ Department of Homeland Security and members of the department’s cybersecurity staff.
The full scale of the US government compromise came under investigation, but just before Christmas 2020, US Senator Ron Wyden revealed that dozens of email accounts at the US Treasury Department had been compromised.
Microsoft also admitted that the SolarWinds hackers had actually accessed and viewed source code repositories within Redmond.
Officials in the United States have blamed Russia’s SVR foreign intelligence service for the SolarWinds hack.
The SVR had been identified earlier in 2021 as being responsible, as it is linked to APT29 or Cozy Bear, thought to be behind the attack.