A US judge has dismissed most of the US Securities and Exchange Commission (SEC) accusations against IT management software company SolarWinds and its CISO, Timothy Brown, over a major 2020 cyberattack.
In a 107-page decision made public on July 18, US District Judge Paul Engelmayer in Manhattan said SEC statements claiming that SolarWinds and Brown concealed the firm’s security weaknesses after the ‘Sunburst’ hack, thereby defrauding their investors, were based on "hindsight and speculation.”
In the same document, the judge also dismissed most SEC claims concerning statements predating the attack, in which the Commission accused the company of hiding cybersecurity weaknesses in its products before the attack.
The only SEC accusation the judge said was legitimate concerns the failure of security controls embedded in SolarWinds products.
The 2020 SolarWinds Cyber-Attack
The Sunburst attack (sometimes called the SolarWinds attack) was a major supply chain attack detected in December 2020. It impacted thousands of organizations globally, including a significant portion of the US federal government (Departments of Commerce, Energy, Homeland Security, State, and Treasury).
Hackers believed to be affiliated with the Russian government exploited software or credentials from at least three US firms – Microsoft, SolarWinds, and VMware.
In particular, they infiltrated the SolarWinds software and inserted malicious code – later dubbed ‘Sunburst’ – into their Orion network management software. This code allowed the attackers to remotely access and potentially steal data from any system running infected software.
Many organizations relied on SolarWinds' Orion platform for critical network monitoring, making them unknowingly vulnerable once the malicious update was installed.
The attackers could then exploit this access to move laterally within a network, potentially reaching highly sensitive systems and data.
An Unprecedented Lawsuit Against a Cyber-Attack’s Victim
The SEC filed a case in October 2023, accusing SolarWinds and its CISO of misconduct before, during and after the cyber-attack.
It was one of the first times a US regulator accused a company that fell victim to a cyber-attack and sued one of its executives.
SolarWinds said it was pleased with the decision.
“We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate,” a SolarWinds spokesperson added.
Brown's lawyers did not immediately respond to media requests for comment.
The SEC declined to comment.
Read more: Lessons Learned From the Solarwinds Sunburst Attack
Photo credit: Flickr/Stephen Foskett