SolarWinds says SEC investigation ‘progressing to charges’

SolarWinds — the technology firm at the center of a December 2020 hack that affected multiple U.S. government agencies — said its executives may soon face charges from the U.S. Securities and Exchange Commission (SEC) for its response to the incident.

The widespread hack – which the U.S. government attributed to the Russian Foreign Intelligence Service – affected several large companies as well as the Defense Department, Justice Department, Commerce Department, Treasury Department, the Department of Homeland Security, the State Department, the Department of Energy and more.

Hackers found a way to insert malware into a version of the company’s Orion IT monitoring application, allowing Russian operatives to gain a foothold in high-value targets. They used the access to deploy additional malware to compromise internal and cloud-based systems and steal sensitive information over several months.

This weekend, a SolarWinds spokesperson defended the company’s response to the fiasco but said its executives may face charges related to their handling of the situation.

“We are cooperating in a long investigative process that seems to be progressing to charges by the SEC against our company and officers. Any potential action will make the entire industry less secure by having a chilling effect on cyber incident disclosure,” the spokesperson said.

“The only possible way to prevent sophisticated and widespread nation-state attacks such as SUNBURST is through public-private partnerships with the government,“ they said, referring to the name given to the hack.

They added that the attack was “highly sophisticated and unforeseeable,” noting that it was “carried out by a global superpower using novel techniques in a new type of threat that cybersecurity experts had never seen before.”

The company has faced significant backlash for its handling of the attack but claimed it followed “long-established best practices for both cyber controls and disclosure.”

An SEC spokesperson told Recorded Future News that they do not comment on the existence or nonexistence of possible investigations.

Reuters reported on Friday that the SEC sent several current and former executives Wells notices – letters that the commission sends to people facing enforcement action. The notices give suspects 30 days to file appeals arguing why they should not face civil action.

The notices allege that the company violated federal securities law by not having internal cybersecurity controls in place to prevent the attack.

The Texas-based company paid a $26 million settlement to shareholders last year over lawsuits related to the hacking scandal. But the SEC issued Wells notices in November implying the company had misled the public with its comments about cybersecurity protection in the run-up to the cyberattack.