News

SolarWinds Sued by SEC for Misleading Investors

• By Kurt Mackie
• October 31, 2023

The U.S. Securities and Exchange Commission (SEC) announced a lawsuit on Monday against SolarWinds Corp. for misleading investors.

The SEC is alleging that SolarWinds engaged in "fraud and internal control failures" regarding its software security practices. In particular, the SEC referred to "Sunburst," which is part of the "supply-chain" based attack, publicized in Dec. 2020, that was used to compromise the e-mail traffic of some U.S. government agencies.

SolarWinds and its Chief Information Security Officer Timothy G. Brown had understated the risks, dating back to Oct. 2018, according to the SEC:

The complaint alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed 'SUNBURST,' SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks. In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds' cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.

The attack generally referred to as Sunburst leveraged an injected compromised software component (also referred to as a "malicious DLL" by some security researchers) in SolarWinds' Orion management products. This initial compromise was used to establish a backdoor, called Sunburst, to link to attacker servers. The Orion compromise was not the only attack method used by the attackers, said to be Russia affiliated, who sought to tap Microsoft Exchange Online e-mail traffic.

In its announcement, the SEC alluded to a SolarWinds internal communication stating that "SolarWinds' remote access set-up was 'not very secure'," leaving critical systems vulnerable to attackers, which was shared with Brown. Instead of addressing the vulnerabilities, SolarWinds and Brown "engaged in a campaign to paint a false picture of the company's cyber controls environment, thereby depriving investors of accurate material information."

Sudhakar Ramakrishna, SolarWinds' president and CEO, described the SEC's complaint as "a misguided and improper enforcement action against us," in a Monday announcement. He argued that SolarWinds was transparent in its communications about Sunburst, and had proper security controls in place before Sunburst:

The truth of the matter is that SolarWinds maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats. For these reasons, we will vigorously oppose this action by the SEC.

Ramakrishna joined SolarWinds in January 2021, "just days after the company learned about SUNBURST." SolarWinds at that time had "shared information about the incident as it was confirmed," while working to ensure customers had secure environments. He contended that the attacks using Sunburst had used "novel techniques the world's best cybersecurity experts had never seen before."