Updated 11:15 BST with comment from SolarWinds. In brief: SolarWinds sued over 2019 hack. SolarWinds CISO Timothy G. Brown also charged by the SEC, which alleges "fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities."
SolarWinds and its CISO Timothy Brown have been charged with fraud and internal control failures by the Securities and Exchange Commission, three years after a devastating supply chain attack on its Orion software.
The US markets watchdog, in a complaint filed on October 30, alleged that the company and its CISO failed to disclose known cybersecurity risks and “specific deficiencies” in SolarWinds’ cybersecurity practices.
SEC: SolarWinds CISO knew of failings
A security statement on SolarWinds website posted before its October 2018 IPO and regularly disseminated to customers was also riddled with “materially false and misleading” statements around secure development, access controls and complex password requirements, the SEC said.
The security statement said that SolarWinds followed the NIST 800-53 security framework but a 2019 assessment shared with its CISO and CIO found that the company had a “program/practice in place” for only 21 of the 325, or just 6% of the NIST 800-53 controls, the SEC found.
The legal action by the SEC comes after hackers inserted malicious “SUNBURST” code into three software builds for SolarWinds’ flagship Orion products, which were downloaded by more than 18,000 customers.
Its disclosure on December 13 had a huge global impact given the scale of the incident, with CISA telling federal agencies in an Emergency Directive to “disconnect or power down SolarWinds Orion products immediately”
Victims of the early 2019 incident, disclosed in December 2020, included Cisco, FireEye, Intel, Microsoft, the US Departments of Homeland Security, State, Treasury and thousands of other private sector companies globally.
The attack was sophisticated: The attackers had breached SolarWinds’ network, altered legitimate Orion .dll source code before SolarWinds compiled it and signed it. But the SEC says this was and is no mitigation.
“SolarWinds’ poor controls, Defendants’ false and misleading statements and omissions, and the other misconduct described in this Complaint, would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack” it said this week.
(In the years since the incident SolarWinds has had its PR teams chasing journalists writing about the hack globally and imploring them to “consider replacing ‘SolarWinds’ with ‘SUNBURST?’” and arguing that “some of the companies targeted were not using SolarWinds software.”)
One observer, security expert Jake Williams, said on social media platform X: "The SEC litigation against Solarwinds is going to do more to advance security than another decade of breaches would. CISOs are often beaten into submission under threat of losing their jobs. The SEC gave them the holy hand grenade to fight back against any pressure to mislead."
SolarWinds sued by SEC: CISO indicted
The SEC says that SolarWinds’ public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with SolarWinds CISO Timothy Brown, that SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the vulnerability “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss.”
Presentations by SolarWinds’ CISO in 2018 and 2019 had said “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”
Critically the SEC complaint picks on not just the failure of the CISO to throw a good perimeter around the company but poor software build processes, with the commission turning up internal documents that flagged “the risk of legacy issues in the Orion Platform” for its CISO and warned “[t]he volume of security issues being identified over the last month have outstripped the capacity of Engineering teams to resolve.”
One November 2020 message by a senior information security manager, sent weeks before the hack was disclosed, meanwhile lamented that “[W]e’re so far from being a security minded company. [E]very time I hear about our head geeks talking about security I want to throw up.”
Updated: A legal representative for Timothy Brown at King & Spalding told The Stack: "Tim Brown performed his responsibilities at SolarWinds as Vice President of Information Security and later as Chief Information Security Officer with diligence, integrity, and distinction. Mr. Brown has worked tirelessly and responsibly to continuously improve the Company’s cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint."
Beyond FireEye, Mandiant and Microsoft, few of the downstream victims have been public about what the SolarWinds attackers did once inside their networks. Mandiant CTO Charles Carmakal, one of the victims, recently reiterated in comments to press that the attackers planned to hit other software and that they had been seen “poking around in source code and build environments for a number of other technology companies.”
The SEC’s complaint, filed in the Southern District of New York, alleges that SolarWinds and Brown violated the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934; SolarWinds violated reporting and internal controls provisions of the Exchange Act; and Brown aided and abetted the company’s violations.
The complaint seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown, the SEC confirmed.
SolarWinds said: “We are disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk.
"The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments."
The full SEC complaint is here.
An in-depth recap of the SolarWinds breach by Wired is here.