SEC charges SolarWinds, CISO with fraud in 2020 supply chain attacks

SolarWinds and the company’s chief information security officer (CISO), Tim Brown, were charged with fraud following the U.S. Securities and Exchange Commission (SEC) investigation into the devastating 2020 Orion Sunburst supply chain attacks.

The SEC filed a 68-page complaint (PDF) against the company and Brown on Oct. 30, alleging they defrauded investors by talking up SolarWinds’ cybersecurity practices and downplaying or failing to disclose known risks.

Both the company and Brown refuted the allegations and vowed to fight the case, filed in U.S. District Court of the Southern District of New York.

The charges were telegraphed earlier this year when the company and Brown were sent “Wells Notices” by the SEC, indicating the commission was planning to take action against them.

Threat actors gained access to SolarWinds’ flagship Orion software through its automated build environment and began testing their ability to inject malicious code into builds in October 2019. They rolled out malicious updates, which were named Sunburst, to approximately 1,800 customers between March and June 2020.

The SEC alleges Brown, who was the company’s vice president of information security at the time, knew about SolarWinds’ multiple cybersecurity risks and vulnerabilities, but failed to act to resolve them.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir S. Grewal, director of the SEC’s Division of Enforcement.

“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” Grewal said.

According to the SEC’s complaint, the alleged misconduct by the company and Brown “would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack. But those violations became painfully clear when SolarWinds experienced precisely such an attack.”

Company and Brown vow to fight charges

In a post on the company’s website, SolarWinds president and CEO Sudhakar Ramakrishna, who joined the company just days after the malicious updates were discovered, described the SEC’s charges as alarming and misguided.

“The truth of the matter is that SolarWinds maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats,” Ramakrishna said.

“For these reasons, we will vigorously oppose this action by the SEC.”

In a separate statement, a SolarWinds spokesperson said the “unfounded charges related to a Russian cyberattack on an American company” were the result of the SEC’s “determination to manufacture a claim against us and our CISO.”

A statement from Brown’s lawyer said he had performed his responsibilities as vice president and CISO “with diligence, integrity, and distinction.”

“Mr. Brown has worked tirelessly and responsibly to continuously improve the company's cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC's complaint.”

In October last year, SolarWinds settled a class action lawsuit for $26 million. The case, filed in SolarWind’s home state of Texas, was brought by shareholders who bought stock in the company around the time of the breach.

There was a different outcome in Delaware, however, where the state’s Supreme Court upheld a lower court’s decision to dismiss a similar case brought by SolarWinds investors.