SolarWinds and its chief infosec officer have been charged with fraud by America's financial watchdog, which alleges the software maker knew its security was in a poor state ahead of the SUNBURST supply chain attack.

In a Monday announcement the SEC alleged SolarWinds and CISO Timothy G. Brown “defrauded investors by overstating SolarWinds' cybersecurity practices and understating or failing to disclose known risks.”

The civil complaint [PDF] alleges that, from at least its October 2018 initial public offering through at least its December 2020 announcement of the SUNBURST cyberattack, SolarWinds’s regulatory filings “allegedly misled investors by disclosing only generic and hypothetical risks at a time when the company and Brown knew of specific deficiencies in SolarWinds’ cybersecurity practices as well as the increasingly elevated risks the company faced at the same time.”

The SEC announcement cites a 2018 corporate presentation that was shared internally, including with Brown, and which described SolarWinds’ remote access setup as “not very secure.”

Which is something of an understatement as the presentation went on to say an attacker who gained access to the remote access system “can basically do whatever without us detecting it until it’s too late.”

Brown himself is alleged to have delivered presentations in 2018 and 2019 that stated the “current state of security leaves us in a very vulnerable state for our critical assets” adding “[a]ccess and privilege to critical systems/data is inappropriate.”

Those dark forecasts were horribly prescient, as in 2020 it was revealed that SolarWinds’ Orion network monitoring tool had been secretly backdoored in a supply chain attack. Among the 18,000 orgs that downloaded the poisoned package included Microsoft and the US Department of Energy's National Nuclear Security Administration.

SolarWinds later published the results of a probe into the incident and suggested fewer than 100 Orion customers were attacked.

But that’s a misleading metric, as all users were exposed to additional risk and incurred the cost and hassle of remediating Orion.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company’,” said Gurbir S. Grewal, director of the SEC’s Division of Enforcement. “Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information,” he added.

The SEC has therefore framed its suit as addressing two issues: misinformation to investors, and the need for listed entities to get their infosec house in order.

The suit won’t be a surprise to SolarWinds, which in November 2022 settled with shareholders and advised it had received SEC notices indicating future regulatory action.

Solarwinds sent The Register the following statement.

®

https://www.theregister.com//2023/10/31/sec_charges_solarwinds_sunburst_fraud/