The U.S. Securities and Exchange Commission (SEC) today charged SolarWinds with defrauding investors by allegedly concealing cybersecurity defense issues before a December 2020 linked to APT29, the Russian Foreign Intelligence Service (SVR) hacking division.
The SEC claims SolarWinds failed to notify investors about cybersecurity risks and poor practices that its Chief Information Security Officer, Timothy G. Brown (also facing legal action from regulatory authorities), knew about. Instead, the company reportedly disclosed only broad and theoretical risks to its investors.
"We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds' cyber risks, which were well known throughout the company and led one of Brown's subordinates to conclude: 'We're so far from being a security minded company,'" said Gurbir S. Grewal, the head of SEC's Division of Enforcement.
"Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company's cyber controls environment, thereby depriving investors of accurate material information."
The regulator claims that Brown was already aware that attackers that would hack SolarWinds' systems remotely would be very hard to detect since at least 2018, according to presentations saying that the "current state of security leaves us in a very vulnerable state for our critical assets" and that "[a]ccess and privilege to critical systems/data is inappropriate."
Brown also expressed concerns in June 2020 that attackers could use SolarWinds' Orion software (which was trojanized by the Russian hackers to breach customers' systems months later) as a tool in future attacks because the company's backend systems were not "resilient."