SolarWinds has labelled the US Securities and Exchange Commission’s (SEC) charges over cyber disclosures as “legally and factually” flawed in a scatching rebuttal to claims it acted negligently in the months preceding the 2020 SUNBURST attack.
In a statement released on 8 November, the company provided answers to a series of questions relating to the case and SolarWinds’ conduct during the breach.
Part of SolarWinds’ response was to accuse the SEC of misleadingly quoting snippets of documents and internal communications out of context in order to build a “false narrative” about the firm’s security practices.
In charges filed on 30 October 2023, the SEC alleged SolarWinds and its chief information security officer (CISO) Tim Brown defrauded investors by understating their security vulnerabilities and misleading them about the scale and severity of the attack.
“SolarWinds allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cyber security practices as well as the increasingly elevated risks the company faced at the same time,” the SEC said.
SolarWinds fires back at the SEC
In its response, SolarWinds was clear to point out a number of issues it found with the charges and cast doubt on the competency of the SEC as a body to govern over cases of this nature.
The company categorically denied allegations it lacked adequate cyber security controls before the breach occurred. Furthermore, the firm accused the SEC of trying to paint a false image of the company’s actions during the attack.
“The SEC misleadingly quotes snippets of documents and conversations out of context to patch together a false narrative about our security posture.”
The statement also makes clear the firm’s intention to fight the case and exonerate its actions, alleging the SEC’s conduct is merely an attempt to gain greater oversight over issues concerning cyber security.
“That is precisely why we are fighting this case: the SEC is twisting the facts in an attempt to expand its regulatory footprint in the cybersecurity space,” SolarWinds said.
“We intend to correct the record and push back on their overreach, as the SEC is provably wrong about the facts and lacks the authority or competence to regulate public companies' cyber security.”
Discover a robust security ecosystem for MSPs
DOWNLOAD NOW
SolarWinds provided some examples of this alleged incompetence. For example, the firm stated the SEC’s accusations that the firm did not follow the NIST Cybersecurity Framework (CSF) rely on evidence that refers to an entirely different set of standards: those in NIST Special Publication and FedRamp.
The company statement goes on to argue claims SolarWinds’ disclosures were not transparent enough are misplaced and highlight a fundamental misunderstanding of the purpose of these disclosures.
“If the SEC has its way, companies would be required to disclose detailed vulnerability information in public filings, which would not be useful to investors but would be useful to hackers looking for vulnerabilities to exploit.”
SUNBURST attack explained
The SUNBURST cyber attack took place in December 2020 and is thought to have been perpetrated by a state-sponsored hacking group based in Russia.
The attack used a backdoor in an update to SolarWinds’ network monitoring platform Orion to gain access to high-profile targets including US government agencies and large enterprises such as Microsoft, Intel, Deloitte, and Cisco.
Threat actors were able to compromise one of Orion’s build servers and add a backdoor to an update module, which was in turn digitally signed and distributed to around 18,000 SolarWinds customers.
The actual number of customers affected by the attack is disputed, however, with SolarWinds claiming the real figure was 100.
Because the software update was digitally signed, customers treated the update as trusted software and began deploying it in their internal networks. The malware inserted in the update was a Windows DLL file that communicated via HTTP to third party servers and gave the attackers control over the Orion software on the customers’ networks.
The trojan remained inactive for an initial period to avoid detection from security systems, after which the malware began executing files and running scripts such as PowerShell to gain further access to additional parts of the victim’s network.
The degree of stealth of the SUNBURST attack displayed -and its potential reach - led to Microsoft president Brad Smith describing it as the “largest and most sophisticated attack the world has ever seen”, a point SolarWinds reiterated in their statement.
