News

SolarWinds Sued by SEC for Misleading Investors

The U.S. Securities and Exchange Commission (SEC) announced a lawsuit on Monday against SolarWinds Corp. for misleading investors.

The SEC is alleging that SolarWinds engaged in "fraud and internal control failures" regarding its software security practices. In particular, the SEC referred to "Sunburst," which is part of the "supply-chain" based attack, publicized in Dec. 2020, that was used to compromise the e-mail traffic of some U.S. government agencies.

SolarWinds and its Chief Information Security Officer Timothy G. Brown had understated the risks, dating back to Oct. 2018, according to the SEC:

The complaint alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed 'SUNBURST,' SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks. In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds' cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.

The attack generally referred to as Sunburst leveraged an injected compromised software component (also referred to as a "malicious DLL" by some security researchers) in SolarWinds' Orion management products. This initial compromise was used to establish a backdoor, called Sunburst, to link to attacker servers. The Orion compromise was not the only attack method used by the attackers, said to be Russia affiliated, who sought to tap Microsoft Exchange Online e-mail traffic.

In its announcement, the SEC alluded to a SolarWinds internal communication stating that "SolarWinds' remote access set-up was 'not very secure'," leaving critical systems vulnerable to attackers, which was shared with Brown. Instead of addressing the vulnerabilities, SolarWinds and Brown "engaged in a campaign to paint a false picture of the company's cyber controls environment, thereby depriving investors of accurate material information."

Sudhakar Ramakrishna, SolarWinds' president and CEO, described the SEC's complaint as "a misguided and improper enforcement action against us," in a Monday announcement. He argued that SolarWinds was transparent in its communications about Sunburst, and had proper security controls in place before Sunburst:

The truth of the matter is that SolarWinds maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats. For these reasons, we will vigorously oppose this action by the SEC.

Ramakrishna joined SolarWinds in January 2021, "just days after the company learned about SUNBURST." SolarWinds at that time had "shared information about the incident as it was confirmed," while working to ensure customers had secure environments. He contended that the attacks using Sunburst had used "novel techniques the world's best cybersecurity experts had never seen before."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Report: Cost, Sustainability Drive DaaS Adoption Beyond Remote Work

    Gartner's 2025 Magic Quadrant for Desktop as a Service reveals that while secure remote access remains a key driver of DaaS adoption, a growing number of deployments now focus on broader efficiency goals.

  • Windows 365 Reserve, Microsoft's Cloud PC Rental Service, Hits Preview

    Microsoft has launched a limited public preview of its new "Windows 365 Reserve" service, which lets organizations rent cloud PC instances in the event their Windows devices are stolen, lost or damaged.

  • Hands-On AI Skills Now Outshine Certs in Salary Stakes

    For AI-related roles, employers are prioritizing verifiable, hands-on abilities over framed certificates -- and they're paying a premium for it.

  • Roadblocks in Enterprise AI: Data and Skills Shortfalls Could Cost Millions

    Businesses risk losing up to $87 million a year if they fail to catch up with AI innovation, according to the Couchbase FY 2026 CIO AI Survey released this month.