SolarWinds fires back at SEC over fraud charges

SolarWinds criticized the U.S. Securities and Exchange Commission over recent charges against the software company and its CISO Timothy Brown, claiming the agency's lawsuit is "fundamentally flawed."

Last week, the SEC announced it filed charges of fraud and internal security controls failures against both SolarWinds and CISO Timothy Brown. The SEC claimed the company and Brown misled investors by publicly overstating its cybersecurity practices from a period between October 2018 and December 2020, when SolarWinds disclosed it was breached in a massive supply chain attack at the hands of Russian nation-state hackers.

"In its filings with the SEC during this period, SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds' cybersecurity practices as well as the increasingly elevated risks the company faced at the same time," the SEC wrote in the announcement last week.

SolarWinds posted a rebuttal to the SEC charges Wednesday evening, claiming the lawsuit has "false claims" about both the company's security practices and the notorious supply chain attack.

SolarWinds "categorically" denied the SEC's allegations that it lacked adequate security controls prior to the supply chain attack, in which threat actors used malicious updates for the company's Orion IT management software to deliver backdoor malware known as Sunburst to SolarWinds' customers.

"The company had appropriate cybersecurity controls in place before Sunburst," the statement said. "The SEC misleadingly quotes snippets of documents and conversations out of context to patch together a false narrative about our security posture."

SolarWinds also denied the allegations that it misled investors in SEC filings about the potential risk of cyber attacks.

"Our regulatory filings before the attack clearly disclosed that, despite the company's security controls, it was subject to the risk of a breach -- including a state-sponsored attack like SUNBURST," the company wrote. "This risk disclosure was comparable to those of leading U.S. technology companies. If our risk disclosure [was] considered inadequate, everyone's risk disclosures would be inadequate."

SolarWinds also strongly denied two aspects of the SEC's lawsuit concerning the supply chain attack. The complaint claimed that in early 2018, SolarWinds had "a known vulnerability" in its corporate VPN and that in 2019, threat actors gained access to the company's network through the VPN.

"It is possible that the threat actors first accessed SolarWinds' systems at an earlier time and through other means, but the earliest confirmed access was through the VPN vulnerability," the complaint read.

However, SolarWinds said those claims are false.

"There was no VPN 'vulnerability,'" the company wrote. "SolarWinds maintained controls during the relevant time frame designed to mitigate the risks from VPN access (such as restrictions on the scope of access available to unmanaged devices). The SEC's assertion that the company lacked compensating controls is false."

The company also denied the SEC's claim that the Russian threat actors behind Sunburst obtained access to the network through the VPN. "The SEC complaint does not identify how Russia was able to enter the SolarWinds environment. In fact, that is still unknown to this day," SolarWinds said.

The VPN claims appear to stem from a May article from Wired that reported that incident response investigators discovered Russian threat actors gained access to a SolarWinds employee's VPN account in January 2019. However, the report does not mention a vulnerability and does not establish the account theft as the initial access point into SolarWinds' network.

SolarWinds' statement does not mention Brown. However, the company said the lawsuit "threatens to discourage CISOs and other cybersecurity personnel from candidly evaluating and discussing risks internally as is necessary for continuous improvement through identifying areas where security can be strengthened.

"If security personnel must constantly worry about their well-intentioned words and actions being mischaracterized in a false light and used as fodder for government charges, the result will be to drive good people from the industry and inhibit frank communication and sound decision-making about security issues," the statement read.

TechTarget Editorial contacted SolarWinds for additional comment, but the company declined.

Rob Wright is a longtime technology reporter who lives in the Boston area. Additional reporting provided by security news writer Arielle Waldman.