*Note: I previously wrote about Solarwinds and Wells Notice here. *
The Securities and Exchange Commission (SEC) announced on Monday evening that it plans to charge SolarWinds Chief Information Security Officer Timothy Brown with fraud for his role in allegedly lying to investors by “overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks.”
The complaint was filed in the Southern District of New York and centers on violations of the antifraud provisions of the Securities Act of 1933 and of the Securities Exchange Act of 1934. The SEC “seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer and director bar against Brown.”
For months, the SEC hinted that it planned to charge SolarWinds executives for their role in a nearly-two year cyberattack that the U.S. government attributed to the Russian Foreign Intelligence Service.
Hackers found a way to insert malware into a version of the company’s Orion IT monitoring application, allowing Russian operatives to gain a foothold in high-value targets. They used the access to deploy additional malware to compromise internal and cloud-based systems and steal sensitive information over several months.
The attack allowed Russian hackers to infiltrate several large companies as well as the Defense Department, Justice Department, Commerce Department, Treasury Department, the Department of Homeland Security, the State Department, the Department of Energy and more.
The SEC said between its October 2018 initial public offering through at least its December 2020 announcement of the hack, SolarWinds “misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”
“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” said Gurbir Grewal, director of the SEC’s Division of Enforcement.
Brown is facing charges related to fraud and internal control failures due to the fact that the company’s official statements were “at odds with its internal assessments, including a 2018 presentation prepared by a company engineer and shared internally.”
According to the SEC, internal reports shared with Brown said SolarWinds’ remote access set-up was “not very secure” and that someone exploiting the issues “can basically do whatever without us detecting it until it’s too late,” which could lead to “major reputation and financial loss” for SolarWinds.
The SEC said it has evidence that presentations by Brown in both 2018 and 2019 said the “current state of security leaves us in a very vulnerable state for our critical assets” and that “[a]ccess and privilege to critical systems/data is inappropriate.”
Multiple communications were sent among Brown and other SolarWinds employees questioning whether the company could protect critical assets from cyberattacks.
The SEC complaint shares evidence that in one incident involving a cyberattack on a SolarWinds customer, Brown acknowledged that an attacker may have tried to use SolarWinds’ Orion software in larger attacks because “our backends are not that resilient.”
Brown is accused of being aware of the company’s cybersecurity issues but failing to either resolve them or raise them to a higher level within the company.
The SEC also said the company’s disclosure of the cyberattack — known as SUNBURST —- in December 2020 was incomplete.
The Texas-based company paid a $26 million settlement to shareholders last year over lawsuits related to the hacking scandal. But the SEC issued Wells notices in November, implying the company had misled the public with its comments about cybersecurity protection in the run-up to the cyberattack.
Some of my observations
Steve Werby compiled this graphics.
Brown was awarded the Globee Cybersecurity Award, 6 months before this verdict. At this point, even the "award" scene looks very shady.
Now, referring to this snapshot.
Noteworthy - Solarwinds ex CEO blames the intern for the password "solarwinds123".
Seriously I have no idea what else to say...
Reference
[1] SEC charges SolarWinds CISO with fraud for misleading investors before major cyberattack. (2023). Retrieved from https://therecord.media/solarwinds-ciso-sec-charged
[2] SEC's Wells Notice. Retrieved from https://www.linkedin.com/pulse/ciso-crosshair-solarwindssec-ts-dr-suresh
[3] Fung, B., & Sands, G. (2021). Former SolarWinds CEO blames intern for “solarwinds123” password leak | CNN Politics. Retrieved from https://edition.cnn.com/2021/02/26/politics/solarwinds123-password-intern/index.html