In a recent development, a US judge has dismissed the majority of the accusations brought forth by the US Securities and Exchange Commission (SEC) against IT management software company SolarWinds and its Chief Information Security Officer (CISO), Timothy Brown, in connection to a significant cyberattack that occurred in 2020.
The decision, which was disclosed on July 18, was made by US District Judge Paul Engelmayer in Manhattan. Judge Engelmayer stated that the claims made by the SEC, which alleged that SolarWinds and Brown had concealed security vulnerabilities following the ‘Sunburst’ hack, leading to investor fraud, were primarily based on hindsight and speculative reasoning.
Furthermore, Judge Engelmayer also threw out most of the SEC’s allegations concerning statements made prior to the cyberattack. These statements accused the company of failing to disclose security weaknesses in its products before the breach occurred.
The only accusation that the judge deemed valid pertained to the security controls that were lacking within SolarWinds products.
The Sunburst cyberattack, also known as the SolarWinds attack, was a supply chain attack that was uncovered in December 2020. This attack had a widespread impact, affecting numerous organizations globally, including several key US federal government departments such as Commerce, Energy, Homeland Security, State, and Treasury.
The hackers behind the attack, believed to have ties to the Russian government, exploited software or credentials from companies like Microsoft, SolarWinds, and VMware. By infiltrating SolarWinds’ software and introducing malicious code known as ‘Sunburst’ into their Orion network management software, the attackers were able to gain remote access to systems running the infected software and potentially exfiltrate sensitive data.
The attack was particularly damaging as many organizations relied on SolarWinds’ Orion platform for essential network monitoring, unknowingly making themselves vulnerable once the compromised update was installed.
Following the cyberattack, the SEC filed a lawsuit in October 2023, accusing SolarWinds and Brown of misconduct both before, during, and after the incident. This legal action marked a rare instance where a company victimized by a cyber-attack was targeted by a US regulator, along with one of its executives.
In response to the judge’s decision, SolarWinds expressed satisfaction and anticipation for the upcoming phase of the legal process where they will have the opportunity to present their side of the story and demonstrate why the remaining claim is factually inaccurate.
On the other hand, Brown’s legal representatives refrained from commenting immediately on the matter, while the SEC chose not to provide any statements in response to the ruling.
As the case progresses, it will be interesting to see how the remaining SEC accusation against SolarWinds and Brown will be further evaluated and how this landmark lawsuit against a cyber-attack’s victim will unfold in the legal landscape.