The U.S. Securities and Exchange Commission accused SolarWinds and its Chief Information Security Officer Tim Brown of misleading statements, omissions and schemes that defrauded investors and customers in the years before and the months following a massive security breach that led to the now-infamous “Sunburst” attack.
“Defendants SolarWinds and its then-Vice President of Security and Architecture, Brown, defrauded SolarWinds’ investors and customers through misstatements, omissions, and schemes that concealed both the Company’s poor cybersecurity practices and its heightened—and increasing—cybersecurity risks,” the SEC wrote in a complaint filed Monday. “SolarWinds’ public statements about its cybersecurity practices and risks painted a starkly different picture from internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.”
[RELATED: SolarWinds ‘Confident’ It ‘Acted Appropriately’ After 2020 Hack: CEO]
The agency is suing SolarWinds and Brown in U.S. District Court in Southern New York for several violations of securities laws. The government is demanding that Brown and SolarWinds are found responsible for numerous counts of fraud, stripping both the company and Brown of any “ill-gotten gains” they received from violating securities laws. Additionally, the SEC wants to bar Brown from holding a seat as an officer at a publicly traded company.
“Through his false statements, false sub-certifications, and other means alleged above, Defendant Brown knowingly provided substantial assistance to, and thereby aided and abetted, SolarWinds’ violations of the securities laws,” the SEC wrote in the complaint.
A legal representative for Brown replied to a CRN request for comment with the following statement:
“Tim Brown performed his responsibilities at SolarWinds as Vice President of Information Security and later as Chief Information Security Officer with diligence, integrity, and distinction. Mr. Brown has worked tirelessly and responsibly to continuously improve the Company’s cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint.”
Solarwinds, meanwhile, released a statement that pushed back hard against the government, saying it will “vigorously oppose” what it called a “misguided” lawsuit.
“It is alarming that the [SEC] has now filed what we believe is a misguided and improper enforcement action against us, representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages,” CEO Sudhakar Ramakrishna wrote in a post to the company’s website Monday. “The truth of the matter is that SolarWinds maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats. For these reasons, we will vigorously oppose this action by the SEC.”
SolarWinds and Brown made “false and misleading statements,” in three types of public disclosures between December 2018 and January 2021: the security statement it posted to its website, SolarWinds S-1 and S-8 forms filed in that period, as well as on a form that the company filed when it disclosed the flaw with its Orion software platform, the complaint states.
According to the SEC, SolarWinds boasted that its products followed security development life-cycle practices that included “vulnerability testing, regression testing, penetration testing;” SolarWinds password policy stated it enforced the use of complex passwords, and that access to sensitive data is on a need-to-know, least-privilege-necessary basis.
“All of those statements were materially false and misleading,” the government said.
“SolarWinds had already determined that it was not taking adequate steps to protect against anticipated and known risks, including failing to follow the steps outlined in the Security Statement,” the federal compliant states. “These general warnings were then repeated verbatim in each relevant filing, despite both the ongoing problems and the increasing red flags in 2020 that SolarWinds was not only being specifically targeted for a cyberattack, but that the attackers had already gotten in.”
SolarWinds began ignoring warnings in June 2018, the SEC said. That’s when a SolarWinds’ network engineer found a security gap in the company’s VPN that would let an attacker “basically do whatever without detecting it until its too late,” the unnamed engineer warned.
An August 2019 presentation warned that SolarWinds “access and privilege to critical systems/data is inappropriate,” while a March and October 2020 presentation noted “significant deficiencies” in SolarWinds access controls.
In a July 2020 email, a SolarWinds engineer told Brown he was “spooked” by activity at a SolarWinds’ customers. Brown agreed that the incident was “very concerning” and continued, “As you guys know our backends are not that resilient and we should definitely make them better,” the SEC complaint quotes Brown as writing.
On a September 2020 Risk Acceptance Form that was marked for Brown and others talks of “the risk of legacy issues in the Orion Platform” and warned “[t]he volume of security issues being identified over the last month have outstripped the capacity of Engineering teams to resolve.”
In November 2020 the company’s senior information security manager wrote in an internal instant message “Everytime I hear about our head geeks talking about security I want to throw up.”
That same month a security employee sent that same manager a message about the Orion platfrom.
“The products are riddled and obviously have been for many years.”
Those working to fix the issues were overwhelmed, according to internal communications, highlighted by the SEC.
“We filed more vulnerabilities then [sic] we fixed. And by fixed, it often means just a temporary fix … but the problem is still there and it’s huge. I have no idea what we can do about it. Even if we started to hire like crazy, which we will most likely not, it will still take years. Can’t really figure out how to unf**k this situation. Not good.”
In September 2019, CRN spoke with Brown about security among the company’s MSP customers.
“My broad-based mission is to basically eliminate anything that can do material damage to my company,” Brown told CRN. “I know I can’t eliminate everything. So, that’s the first rule. So what do I eliminate that would be materially damaging to my company? Then I highlight those to the [best] of my ability.”
The SEC said SolarWinds’ misleading statements, schemes and ommissions would have resulted in fraud charges regardless of whether they were attacked.
“SolarWinds’ poor controls, Defendants’ false and misleading statements and omissions, and the other misconduct described in this Complaint, would have violated the federal securities laws even if SolarWinds had not experienced a major, targeted cybersecurity attack. But those violations became painfully clear when SolarWinds experienced precisely such an attack.
While a SolarWinds engineer warned that its VPN was vulnerable in June 2018, in January 2019, threat actors accessed SolarWinds’ systems “through the VPN using an unmanaged device. The actors then had broad, undetected access to SolarWinds’ systems,” the SEC wrote.
“Using their access, the threat actors inserted malicious code into three software builds for SolarWinds’ Orion products. SolarWinds then delivered these compromised products to more than 18,000 customers across the globe,” the complaint continues. “The malicious code provided the threat actors with the ability to access the systems of these compromised customers, provided certain other conditions were met, and became known as the SUNBURST attack.”
The SEC said throughout 2020, Brown received an increasing number of reports about cyber security attacks and vulnerabilities against Orion and other SolarWinds products. Two customers using Orion—a government agency and a cybersecurity firm—were attacked in October 2020.
“Shortly after the October 2020 attack against Cybersecurity Firm B, SolarWinds employees including Brown recognized similarities between that attack and the attack on U.S. Government Agency A,” the SEC said. “But when personnel at Cybersecurity Firm B asked SolarWinds employees if they had previously seen similar activity, InfoSec Employee F falsely told Cybersecurity Firm B that they had not. He then messaged a colleague, “[W]ell I just lied.”
It wasn’t until a third victim, another cyber security firm, was attacked that SolarWinds determined the attacks were related and finally acted, filing a Form 8-K disclosure drafted by Brown, a group of executives, and signed by the CEO.
“That Form 8-K was materially misleading in several respects, including its failure to disclose that the vulnerability at issue had been actively exploited against SolarWinds’ customers multiple times over at least a six-month period in the incidents involving U.S. Government Agency A, Cybersecurity Firm B, and Cybersecurity Firm C,” the SEC states.
Ramakrishna joined SolarWinds around the time of the attack, said in the statement Monday that the company responded to the attack in the manner the government ancourages.
“The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security,” he wrote. “They also risk disenfranchising earnest cybersecurity professionals across the country, taking these cyber warriors off the front lines. I worry these actions will stunt the growth of public-private partnerships and broader information-sharing, making us all even more vulnerable to security attacks.
“The actions we have taken over the last two-and-a-half years motivate us to stay the course and to push back against any efforts that will make our customers and our industry less secure. We will continue to move forward, guided by our fundamental principles of transparency, urgency, collaboration, communication, and humility.”