SEC charges SolarWinds for security failures, fraud

The U.S. Securities and Exchange Commission charged SolarWinds Corporation and its CISO Timothy Brown with fraud related to security failings leading up the supply chain attack known as Sunburst.

In 2020, SolarWinds customers, including U.S. federal agencies, were compromised through an Orion software update that contained malicious code known as Sunburst that attackers implanted in 2019. The SolarWinds breach was first detected by FireEye (now Trellix), which was also affected along with Microsoft and other technology vendors. Microsoft attributed the supply chain attack to a Russian nation-state group it tracks as Nobelium, more commonly known as APT29 or Cozy Bear.

Now the software maker and its CISO are facing charges of fraud and internal control failures. The Securities and Exchange Commission (SEC) announced the charges Monday, alleging that SolarWinds and Brown misled investors when it came to the company's cybersecurity practices, known risks and vulnerabilities. A previous investigation into the SolarWinds hack determined attackers were in the company's network for at least two years before they were detected.

The official charges against SolarWinds involved violating reporting and internal controls provisions of the Exchange Act and alleged that Brown "aided and abetted the company's violations." The SEC's recently implemented four-day reporting rule highlighted an overall lack of transparency in cybersecurity incident reporting.

The SEC said it seeks "permanent injunctive relief, disgorgement with prejudgment interest, civil penalties and an officer and director bar against Brown.

"As the complaint alleges, SolarWinds public statements about its cybersecurity practices and risks were at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally, including with Brown, that SolarWinds remote access set-up was 'not very secure' and that someone exploiting the vulnerability 'can basically do whatever without us detecting it until it's too late' which could lead to 'major reputation and financial loss' for SolarWinds," the SEC wrote in the press release.

Companies continually struggle to secure remote access -- a risk that was intensified by the COVID-19 pandemic and a rapid shift to remote work. However, a report by Sophos in August showed that the problem persists. The cybersecurity vendor's midyear "Active Adversary Report" showed that remote desktop protocol played a part in 95% of attacks in the first half of 2023.

Additionally, attackers have increasingly targeted VPNs to gain remote access, another area that's proven difficult to defend. For example, in February, malicious activity against Fortinet VPN instances increased despite the critical flaw attackers exploited being disclosed in December.

"It is possible that the threat actors first accessed SolarWinds's systems at an earlier time and through other means. But the earliest confirmed access was through a VPN vulnerability," the SEC wrote in the complaint.

The SEC added that SolarWinds would have been charged for failed security practices despite the Sunburst breach.

The SEC complaint also blamed Brown for "ignoring repeated red flags about SolarWinds" and alleged he did not address or disclose known vulnerabilities. Vulnerability management and timely patching have been ongoing problems for enterprises due to the high influx of security flaws, limited workforces and attackers exploiting known zero-day vulnerabilities.

The complaint also alleged that Brown knew SolarWinds backends were not resilient and that he told a member of the engineering team "we should definitely make them better" in an email from July 2020. While CISOs play a vital role in enterprise security, they do answer to a board and often face pushback on implementing new protocols, especially when it comes to cyber insurance requirements.

A spokesperson for SolarWinds referred to the charges as "unfounded" in a statement to TechTarget Editorial.

We are disappointed by the SEC's unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk. The SEC's determination to manufacture a claim against us and our CISO is another example of the agency's overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.

Brown's legal representation also provided a statement to TechTarget Editorial regarding the charges.

Tim Brown has performed his responsibilities at SolarWinds as vice president of information security and later as chief information security officer with diligence, integrity, and distinction. Mr. Brown has worked tirelessly and responsibly to continuously improve the company's cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC's complaint.

Nick DeLena, partner of cybersecurity and privacy advisory at PFK O'Connor Davies, told TechTarget Editorial the charges against SolarWinds and Brown will likely give CISOs pause. He mentioned the Uber breach case that finished in May when its former CISO Joe Sullivan was found guilty of covering up a high-profile data breach in 2016 after threat actors accessed personal data of Uber customers and drivers through an AWS S3 bucket.

"However, if the allegations are to be believed, Brown was part of a scheme to mislead investors through materially false statements made to public markets. There's apparently a trove of internal memoranda where Brown outlines how poor their security posture was. Yet the company's public security statement said they were doing all of the things Brown's memoranda said they were not," DeLena said.

He added that CISO are faced with the difficult task of defending against increasingly dangerous cyber threats while working with severely constrained resources. They are typically scrutinized and blamed following breaches and attacks.

"Often the CISO had no direct authority over the roles responsible for maintaining networks and systems. As with the Uber case, CISOs are in the hot seats when cyberattacks occur," DeLena said. "My advice to CISOs is to appreciate how vulnerable they are and stick to a strategy of honesty and transparency, keep excellent notes and make detailed reports, and ensure the organization acts in public markets in a manner consistent with their understanding of their environment."

Arielle Waldman is a Boston-based reporter covering enterprise security news.