News

SolarWinds Sued by SEC for Misleading Investors

The U.S. Securities and Exchange Commission (SEC) announced a lawsuit on Monday against SolarWinds Corp. for misleading investors.

The SEC is alleging that SolarWinds engaged in "fraud and internal control failures" regarding its software security practices. In particular, the SEC referred to "Sunburst," which is part of the "supply-chain" based attack, publicized in Dec. 2020, that was used to compromise the e-mail traffic of some U.S. government agencies.

SolarWinds and its Chief Information Security Officer Timothy G. Brown had understated the risks, dating back to Oct. 2018, according to the SEC:

The complaint alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyberattack, dubbed 'SUNBURST,' SolarWinds and Brown defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks. In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds' cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.

The attack generally referred to as Sunburst leveraged an injected compromised software component (also referred to as a "malicious DLL" by some security researchers) in SolarWinds' Orion management products. This initial compromise was used to establish a backdoor, called Sunburst, to link to attacker servers. The Orion compromise was not the only attack method used by the attackers, said to be Russia affiliated, who sought to tap Microsoft Exchange Online e-mail traffic.

In its announcement, the SEC alluded to a SolarWinds internal communication stating that "SolarWinds' remote access set-up was 'not very secure'," leaving critical systems vulnerable to attackers, which was shared with Brown. Instead of addressing the vulnerabilities, SolarWinds and Brown "engaged in a campaign to paint a false picture of the company's cyber controls environment, thereby depriving investors of accurate material information."

Sudhakar Ramakrishna, SolarWinds' president and CEO, described the SEC's complaint as "a misguided and improper enforcement action against us," in a Monday announcement. He argued that SolarWinds was transparent in its communications about Sunburst, and had proper security controls in place before Sunburst:

The truth of the matter is that SolarWinds maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats. For these reasons, we will vigorously oppose this action by the SEC.

Ramakrishna joined SolarWinds in January 2021, "just days after the company learned about SUNBURST." SolarWinds at that time had "shared information about the incident as it was confirmed," while working to ensure customers had secure environments. He contended that the attacks using Sunburst had used "novel techniques the world's best cybersecurity experts had never seen before."

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • IBM Giving Orgs a Governance Lifeline in Agentic AI Era

    Nearly overnight, organizations are facing brand-new challenges caused by self-directed AI systems (a.k.a. agentic AI). Big Blue is extending them some help.

  • Microsoft Launches Integrated E-mail Security Ecosystem for Defender for Office 365

    Microsoft is expanding its e-mail security capabilities with the launch of a new Integrated Cloud Email Security (ICES) ecosystem for Microsoft Defender for Office 365.

  • Microsoft Joins Workday's AI Agent Partner Network

    Microsoft has become a key partner in Workday's newly launched AI Agent Partner Network, aligning with other industry leaders to integrate AI agents into enterprise workforce systems.

  • LinkedIn CEO Ryan Roslansky To Lead Microsoft's Productivity Initiatives

    In a strategic leadership realignment, Microsoft has appointed LinkedIn CEO Ryan Roslansky to oversee its consumer and small business productivity software division, encompassing Microsoft 365, Teams and AI-driven tools like Copilot.