In the unfolding narrative of SolarWinds, the well-known tech company accused of defrauding investors, the U.S. Securities and Exchange Commission (SEC) has stepped in, levying severe charges. At the heart of the accusations lie allegations that SolarWinds concealed significant cybersecurity deficiencies, which later enabled a major security breach traced back to the Russian Foreign Intelligence Service (SVR)’s hacking division, APT29, in December 2020.
Not the First Time Around the Sun
This potentially harmful breach is an unfortunate marker in the tech firm’s history, characterized by its penetration into multiple U.S. federal agencies three years prior. The SEC contends that SolarWinds, along with its Chief Information Security Officer Timothy G. Brown—who is also under regulatory scrutiny—did not sufficiently inform its investors regarding these significant cyber risks and inadequate safety practices, which they were aware of.
SEC’s Division of Enforcement director Gurbir S. Grewal elaborated on the concern, stating that SolarWinds and Brown had systematically diverged their attention from serious security breaches, choosing instead to portray an untruthful image of the company’s cyber security standards. This action, Grewal argues, systematically deprived investors of critically accurate information.
Conversations held within the company, since as early as 2018, already revealed realizations that SolarWinds’ systems were extremely vulnerable to remote hacks, which would be incredibly challenging to detect. Expressing major concerns in mid 2020, Brown articulated a fear that the company’s Orion software could become a tool for potential hackers, due to the lack of resilience in the company’s backend systems.
The SEC further mentions how in the two months leading up to the main breach, there were signs that the engineering teams at SolarWinds were not able to handle the burgeoning list of emerging security issues.
Area Man Upset That Company He is CEO of Keeps Causing Breaches
Despite these accusations, SolarWinds’ President and Chief Executive Officer Sudhakar Ramakrishna defends the company’s actions, arguing the SEC’s charges are misdirected and counterproductive. He emphasizes how the firm sought to collaborate with other organizations, including the government, to handle the crisis and ensure a more secure environment for everybody.
Earlier this year, the SEC further communicated Wells notices to SolarWinds and its key executives, foreshadowing the potential civil enforcement action for alleged violations of U.S. federal securities laws, which has now come to pass.
The APT29, the Russian threat group had targeted SolarWinds’ internal systems, manipulating its Orion IT administration platform and several builds rolled out between March and June 2020. The group subsequently used these builds to introduce the Sunburst backdoor into the systems of fewer than 18,000 victims, who were then meticulously curated for the second-stage exploitation.
SolarWinds Argues That It Doesnt Need Another Federal Agency Bumming Them Out
With SolarWinds providing services to more than 300,000 customers worldwide—including industry giants like Apple, Google, and Amazon and government agencies like the U.S. Military, Pentagon, and the Department of State—the potential fallout from this breach is considerable.
Refuting the SEC’s charges, a SolarWinds spokesperson affirmed the company’s disappointment and voiced their alarm over the ramifications for national security. They argued that this is an instance of the SEC’s overreach and poses a cause of concern to all public companies and committed cybersecurity professionals.