The US Securities and Exchange Commission (SEC) has filed charges against SolarWinds, alleging that the company concealed cybersecurity defense issues related to a December 2020 attack by APT29, the Russian Foreign Intelligence Service’s hacking division. APT29 orchestrated the SolarWinds supply-chain attack, which led to breaches in several U.S. federal agencies three years ago.
The SEC asserts that SolarWinds failed to inform investors about cybersecurity risks and poor practices, which the company’s Chief Information Security Officer, Timothy G. Brown, was aware of. Instead, SolarWinds allegedly provided vague and theoretical information to investors.
Gurbir S. Grewal, head of the SEC’s Division of Enforcement, states, “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
Brown was reportedly aware of the difficulty of detecting remote attackers targeting SolarWinds’ systems since at least 2018. He expressed concerns that SolarWinds’ Orion software could be used as a tool in future attacks, months before it was trojanized by Russian hackers for customer system breaches.
Two months before the attack, a SolarWinds internal document revealed that engineering teams were struggling to keep up with a growing list of security issues.
SolarWinds’ President and CEO, Sudhakar Ramakrishna, responded to the SEC’s charges, characterizing them as “misguided and improper enforcement action” that threatens open information-sharing across the industry.
In response to the 2020 breach, the SEC sent Wells notices to the company and SolarWinds executives, indicating potential civil enforcement actions for alleged violations of federal securities laws.
The Russian APT29 group breached SolarWinds’ systems and trojanized the SolarWinds Orion platform, affecting fewer than 18,000 victims. SolarWinds serves over 300,000 customers worldwide, including Fortune 500 companies and various U.S. government agencies.
Multiple U.S. government agencies confirmed breaches, including the Department of State, the Department of Homeland Security, the Department of the Treasury, the Department of Energy, the National Telecommunications and Information Administration, the National Institutes of Health, and the National Nuclear Security Administration.