Three years after the major cyber incident at SolarWinds, the US Securities and Exchange Commission (SEC) is suing the company.
In the lawsuit, the government agency claims that the company and its management staff knew for months, if not years, before the data breach incident that the security of their systems was an unmitigated disaster.
However, instead of notifying investors and users, they kept the information to themselves and even tried to convince everyone that the company’s assets were safe.
Worried about Orion
“We allege that for years SolarWinds and Brown (SolarWinds CISO Timothy G. Brown) ignored repeated red flags about SolarWinds’ cyber risks, which were known throughout the company and led one of Brown’s subordinates to conclude: ‘We have not yet security-oriented company said Gurbir S. Grewal, the head of the SEC’s Enforcement Division.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to misrepresent the company’s cyber control environment, depriving investors of accurate material information.”
Brown also worried that someone could use Orion in future attacks because the organization’s backend systems were not resilient, the SEC alleges. In an ironic twist of fate, it was precisely Orion that was used to deliver highly destructive malware to countless organizations around the world.
In 2020, a Russian hacking organization known as APT29 breached SolarWinds, discovered a patch for Orion in the works, and compromised it with malicious code. When SolarWinds pushed the update to its customers, most of them were infected.
According to a BleepingComputer According to the report, APT29 is linked to the hacking department of the Russian Foreign Intelligence Service (SVR).
Reacting to the news, the company’s president and CEO, Sudhakar Ramakrishna, said the lawsuit is “alarming” and that the SEC’s conduct is “misguided” and an “inappropriate enforcement action.”
“We have made a conscious decision to speak – candidly and frequently – with the aim of sharing what we have learned to help others become safer. We’ve been working closely with the government and encouraging other companies to be more open about security by sharing information and best practices. ”, he was quoted as saying.
‘Unfounded’ accusations
“The SEC’s allegations now jeopardize the industry’s open sharing of information, which cybersecurity experts agree is necessary for our collective security.”
A subsequent statement from the company added that the allegations are “baseless” and that they endanger U.S. national security.
“The SEC’s determination to bring a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and dedicated cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”