News

SolarWinds Sued by SEC for Misleading Investors

The U.S. Securities and Exchange Commission (SEC) announced a lawsuit on Monday against SolarWinds Corp. for misleading investors.

The SEC is alleging that SolarWinds engaged in "fraud and internal control failures" regarding its software security practices. In particular, the SEC referred to "Sunburst," which is part of the "supply-chain" based attack, publicized in Dec. 2020, that was used to compromise the e-mail traffic of some U.S. government agencies.

SolarWinds and its Chief Information Security Officer Timothy G. Brown had understated the risks, dating back to Oct. 2018, according to the SEC:

The complaint alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed 'SUNBURST,' SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks. In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds' cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.

The attack generally referred to as Sunburst leveraged an injected compromised software component (also referred to as a "malicious DLL" by some security researchers) in SolarWinds' Orion management products. This initial compromise was used to establish a backdoor, called Sunburst, to link to attacker servers. The Orion compromise was not the only attack method used by the attackers, said to be Russia affiliated, who sought to tap Microsoft Exchange Online e-mail traffic.

In its announcement, the SEC alluded to a SolarWinds internal communication stating that "SolarWinds' remote access set-up was 'not very secure'," leaving critical systems vulnerable to attackers, which was shared with Brown. Instead of addressing the vulnerabilities, SolarWinds and Brown "engaged in a campaign to paint a false picture of the company's cyber controls environment, thereby depriving investors of accurate material information."

Sudhakar Ramakrishna, SolarWinds' president and CEO, described the SEC's complaint as "a misguided and improper enforcement action against us," in a Monday announcement. He argued that SolarWinds was transparent in its communications about Sunburst, and had proper security controls in place before Sunburst:

The truth of the matter is that SolarWinds maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats. For these reasons, we will vigorously oppose this action by the SEC.

Ramakrishna joined SolarWinds in January 2021, "just days after the company learned about SUNBURST." SolarWinds at that time had "shared information about the incident as it was confirmed," while working to ensure customers had secure environments. He contended that the attacks using Sunburst had used "novel techniques the world's best cybersecurity experts had never seen before."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.