Security News > 2023 > October > SEC sues SolarWinds for misleading investors before 2020 hack
The U.S. Securities and Exchange Commission today charged SolarWinds with defrauding investors by allegedly concealing cybersecurity defense issues before a December 2020 linked to APT29, the Russian Foreign Intelligence Service hacking division.
The SEC claims SolarWinds failed to notify investors about cybersecurity risks and poor practices that its Chief Information Security Officer, Timothy G. Brown, knew about.
"Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company's cyber controls environment, thereby depriving investors of accurate material information."
The regulator claims that Brown was already aware that attackers that would hack SolarWinds' systems remotely would be very hard to detect since at least 2018, according to presentations saying that the "Current state of security leaves us in a very vulnerable state for our critical assets" and that "[a]ccess and privilege to critical systems/data is inappropriate.
Two months before the attack, the SEC says that a SolarWinds internal document revealed that the engineering teams were no longer able to keep up with a long list of new security issues that they had to address.
The Russian APT29 threat group breached SolarWinds' internal systems and trojanized the SolarWinds Orion IT administration platform and subsequent builds released between March 2020 and June 2020.