SolarWinds, in a Friday SEC filing, said unnamed current and former executives including its chief financial officer and chief information security officer received Wells notices that they may be subject to civil enforcement action in relation to the late 2020 SolarWinds Orion cyberattack, a.k.a. Sunburst. And guess which current CFO and CISO were serving those roles at the time of the attack.
SolarWinds Friday said that some of its past and former executives were issued a Wells notice by the U.S. Securities and Exchange Commission related to potential violations stemming from the SolarWinds Orion cyberattack, also known as the Sunburst attack.
A Wells notice is a letter the SEC sends to companies or people after an SEC investigation is concluded that the recipients will be subject to an enforcement action.
Receipt of a Wells notice typically means that the SEC, after finishing an investigation, has discovered evidence of possible violations of securities laws.
In Friday’s SEC filing, SolarWinds wrote that it had previously disclosed two shareholder derivative actions that were filed, purportedly on behalf of the company, asserting break of duty and other claims against SolarWinds and some of its current and former officer and directors relating to the SEC’s investigation of the Orion cyberattack. The company in October, 2022 received a Wells notice.
However, the current filing was made to notify investors that “certain current and former executive officers and employees of the Company, including the Company’s Chief Financial Officer and Chief Information Security Officer,’ received Wells notices from the SEC staff, each in connection with the Investigation.
“The Wells Notices provided to these individuals each state that the SEC staff has made a preliminary determination to recommend that the SEC file a civil enforcement action against the recipients alleging violations of certain provisions of the U.S. federal securities laws,” SolarWinds wrote.
SolarWinds did not name any of the executives who received the Wells notices.
However, current Chief Financial Officer J Barton Kalsu and current Chief Information Security Officer Tim Brown were serving in those roles at the time of the attack.
Kalsu has served as CFO since April, 2016, while Brown, who earlier this year was named CISO of the Year by the Globee Cybersecurity Awards, became CISO in 2017.
The executives referenced by the SEC have not yet been formally charged, SolarWinds said in the SEC filing.
“A Wells Notice is neither a formal charge of wrongdoing nor a final determination that the recipient has violated any law. If the SEC were to authorize an action against any of these individuals, it could seek an order enjoining such individuals from engaging in future violations of provisions of the federal securities laws subject to the action, imposing civil monetary penalties and/or a bar from serving as an officer or director of a public company and providing for other equitable relief within the SEC’s authority,” the company wrote.
SolarWinds executives were not available to respond to a CRN request for more information.
However, SolarWinds, in an emailed statement to CRN not attributed to a specific person, said that the company has acted properly at all times following the unprecedented Sunburst attack and is cooperating with the SEC.
“SUNBURST was a highly sophisticated and unforeseeable attack that the United States government has said was carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before. SolarWinds has acted properly at all times by following long-established best practices for both cyber controls and disclosure. We are cooperating in a long investigative process that seems to be progressing to charges by the SEC against our company and officers. Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure.
“The only possible way to prevent sophisticated and widespread nation-state attacks such as SUNBURST is through public-private partnerships with the government,” SolarWinds wrote.
The December, 2020 manual supply chain attack against SolarWinds’ Orion network monitoring platform sent shockwaves throughout the world, with suspected Russian foreign intelligence service hackers gaining access to U.S. government agencies, critical infrastructure entities, and private sector organizations.
The victims included government, consulting, technology and telecom firms in North America, Europe, Asia and the Middle East, FireEye threat researchers wrote.
FireEye’s CEO at the time said that only 50 of the 18,000 organizations who installed malicious SolarWinds Orion code into their network were “genuinely impacted” by the campaign, while Microsoft President Brad Smith said Dec. 17 that just over 40 of the company’s customers were precisely targeted and compromised through trojanized Orion updates.