SolarWinds faces potential SEC enforcement action over Orion breach

The US Securities and Exchange Commission (SEC) appears poised to take enforcement action against SolarWinds for the enterprise software company’s alleged violation of federal securities laws when making statements and disclosures about the 2019 data breach at the company.

If the SEC were to move forward, SolarWinds could face civil monetary penalties and be required to provide “other equitable relief” for the alleged violations. The action would also enjoin SolarWinds from engaging in future violations of the relevant federal securities laws.

SolarWinds disclosed the SEC’s potential enforcement action in a recent Form 8-K filing with the SEC. In the filing, SolarWinds said it had received a so-called “Wells Notice” from the SEC noting that the regulator’s enforcement staff had made a preliminary decision to recommend the enforcement action. A Wells Notice basically notifies a respondent about charges that a securities regulator intends to bring against a respondent, so the latter has an opportunity to prepare a response.

SolarWinds maintained that its “disclosures, public statements, controls, and procedures were appropriate.” The company noted that it would prepare a response to the SEC enforcement staff’s position on the matter.

The breach into SolarWinds’ systems wasn’t discovered until late 2020, when Mandiant found that its red-team tools had been pilfered in the attack.

Class-Action Settlement

Separately, but in the same filing, SolarWinds said it had agreed to pay $26 million to settle claims in a class-action lawsuit filed against the company and some of its executives. The lawsuit had claimed the company had misled investors in public statements, about its cybersecurity practices and controls. The settlement would not constitute any admission of any fault, liability, or wrongdoing over the incident. The settlement, if approved, will be by paid by the company’s applicable liability insurance.

The disclosures in the 8-K Form come nearly two years after SolarWinds reported that attackers — later identified as Russian threat group Nobelium — had breached the build environment of the company’s Orion network management platform and planted a backdoor in the software. The backdoor, dubbed Sunburst, was later pushed out to the company’s customers as legitimate software updates. Some 18,000 customers received the poisoned updates. But fewer than 100 of them were later actually compromised. Nobelium’s victims included companies such as Microsoft and Intel as well as government agencies such as the US departments of Justice and Energy.

SolarWinds Executes a Complete Rebuild

SolarWinds has said it has implemented multiple changes since then to its development and IT environments to ensure the same thing doesn’t again. At the core of the company’s new secure by design approach is a new build system designed to make attacks of the sort that happened in 2019 much harder — and nearly impossible — to carry out.

To read the complete article, visit Dark Reading.