Three years after the major cyber-incident at SolarWinds, the US Securities and Exchange Commission (SEC) is suing the firm.
In the lawsuit, the government agency alleges that the company and its executive staff knew their systems’ security was an utter disaster for months, if not years before the data breach incident.
However, instead of notifying investors and users, they kept the information for themselves and even tried to convince everyone the firm’s assets were secure.
Worries over Orion
“We allege that, for years, SolarWinds and Brown (SolarWinds CISO Timothy G. Brown), ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,'” said Gurbir S. Grewal, the head of SEC’s Division of Enforcement.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
Brown also worried that someone could use Orion in future attacks, because the organization’s backend systems weren’t resilient, the SEC claims. In an ironic twist of fate, it was exactly Orion that was used to deliver highly destructive malware to numerous organizations around the world.
Back in 2020, a Russian hacking organization known as APT29 breached SolarWinds, discovered a patch for Orion that was in the works, and compromised it with malicious code. Once SolarWinds pushed the update to its clients, most of them were infected.
According to a BleepingComputer report, APT29 is linked to the Russian Foreign Intelligence Service (SVR) hacking division.
Commenting on the news, the company’s President and CEO, Sudhakar Ramakrishna, said the lawsuit is “alarming”, and that the SEC’s behavior is “misguided” and an “improper enforcement action”.
“We made a deliberate choice to speak—candidly and frequently—with the goal of sharing what we learned to help others become more secure. We partnered closely with the government and encouraged other companies to be more open about security by sharing information and best practices,” he was cited as saying.
“Unfounded” accusations
“The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security.”
A subsequent company statement added that the charges are “unfounded” and that they’ll put American national security at risk.
“The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”