The US government’s Securities and Exchange Commission (SEC) has charged SolarWinds and its chief information security officer (CISO) Timothy Brown with multiple offences related to fraud and internal control failures, after uncovering a litany of security issues in the wake of the Sunburst supply chain incident.
Uncovered in the run-up to Christmas 2020, the Sunburst – or Solorigate – cyber attack saw the Russia-backed threat actors known as Cozy Bear break into multiple critical networks belonging to the US government, as well as a great many private enterprises, having compromised SolarWinds’ Orion network management platform as long ago as 2019.
In the years since, SolarWinds has drawn praise for its commitment to openness and become a huge advocate for secure-by-design software development practices.
However, in its complaint published on 30 October, the SEC accused the company and Brown of defrauding investors by overstating SolarWinds’ cyber security practices, and understating and failing to disclose known risks.
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security-minded company.’,” said Gurbir Grewal, director of the SEC’s Division of Enforcement.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” Grewal continued.
“Today’s enforcement action not only charges SolarWinds and Brown for misleading the investing public and failing to protect the company’s ‘crown jewel’ assets, but also underscores our message to issuers: implement strong controls calibrated to your risk environments and level with investors about known concerns.”
The SEC alleged that SolarWinds misled its investors by disclosing merely generic and hypothetical risks at a moment when it knew full well that its security practices contained “specific deficiencies”.
It cited a 2018 presentation, prepared by a company engineer and seen by Brown, in which the unnamed engineer identified a gaping hole in SolarWinds’ remote access VPN via which a threat actor could – and on at least one occasion did – access SolarWinds systems on an unmanaged device. The engineer warned that this setup was “not very secure”.
The engineer added that someone exploiting this flaw could “basically do whatever without us detecting it until it’s too late”.
Over the course of 2020, the SEC said it was supposedly becoming clear within SolarWinds that Orion was not secure – something that Brown himself apparently knew, following an attack against an undisclosed government agency in May and a cyber security client in October.
In July that year, five months before the attack became public, the SEC said another engineer told Brown they were “spooked” by weird activity at a customer and warned him that the volume of security issues they were seeing was outstripping their capacity to resolve.
Shortly following the second attack on the cyber security customer, the SEC said Brown allegedly recognised similarities between that attack and the May incident, but when asked by the customer if SolarWinds had seen similar activity before, the customer’s contact at SolarWinds said it had not. This individual then messaged a colleague. “Well,” they said, “I just lied.”
The SEC cited further internal communications sent in November 2020, in which a senior infosec manager at SolarWinds expressed disgust with the company’s posture. “We’re so far from being a security-minded company. Every time I hear about our head geeks talking about security I want to throw up.”
The complaint further stated that in the wake of the December 2020 disclosures by FireEye – identified in the SEC complaint as Cybersecurity Firm C – SolarWinds filed a Form 8-K with the SEC, signed off by Brown among others, that made no mention of the fact the Orion vulnerability had been exploited on two other occasions, even though FireEye had shared the relevant code with SolarWinds and Brown had made the connections.
The SEC said SolarWinds’ poor controls, false and misleading statements, and omissions and general misconduct would have violated federal securities laws even if Orion had not been compromised by the Russians – and its violations were “painfully clear” to see.
In a statement circulated to the media, a SolarWinds spokesperson said: “We are disappointed by the SEC’s unfounded charges related to a Russian cyber attack on an American company and are deeply concerned this action will put our national security at risk.
“The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cyber security professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our secure-by-design commitments.”
A lawyer for Brown said he had performed his duties with “diligence, integrity and distinction” and had worked “tirelessly and responsibly” to improve SolarWinds’ security posture. “We look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint.”