US government sues SolarWinds for security failings
Three years after the major cyber-incident at SolarWinds, the US Securities and Exchange Commission (SEC) is suing the firm.
In the lawsuit, the government agency alleges that the company and its executive staff knew their systems’ security was an utter disaster for months, if not years before the data breach incident.
However, instead of notifying investors and users, they kept the information for themselves and even tried to convince everyone the firm’s assets were secure.
Worries over Orion
“We allege that, for years, SolarWinds and Brown (SolarWinds CISO Timothy G. Brown), ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,'” said Gurbir S. Grewal, the head of SEC’s Division of Enforcement.
“Rather than address these vulnerabilities, SolarWinds and Brown engaged in a campaign to paint a false picture of the company’s cyber controls environment, thereby depriving investors of accurate material information.”
Brown also worried that someone could use Orion in future attacks, because the organization’s backend systems weren’t resilient, the SEC claims. In an ironic twist of fate, it was exactly Orion that was used to deliver highly destructive malware to numerous organizations around the world.
Back in 2020, a Russian hacking organization known as APT29 breached SolarWinds, discovered a patch for Orion that was in the works, and compromised it with malicious code. Once SolarWinds pushed the update to its clients, most of them were infected.
According to a BleepingComputer report, APT29 is linked to the Russian Foreign Intelligence Service (SVR) hacking division.
Commenting on the news, the company’s President and CEO, Sudhakar Ramakrishna, said the lawsuit is “alarming”, and that the SEC’s behavior is “misguided” and an “improper enforcement action”.
“We made a deliberate choice to speak—candidly and frequently—with the goal of sharing what we learned to help others become more secure. We partnered closely with the government and encouraged other companies to be more open about security by sharing information and best practices,” he was cited as saying.
“Unfounded” accusations
“The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security.”
A subsequent company statement added that the charges are “unfounded” and that they’ll put American national security at risk.
“The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country. We look forward to clarifying the truth in court and continuing to support our customers through our Secure by Design commitments.”
More from TechRadar Pro
Three years after the major cyber-incident at SolarWinds, the US Securities and Exchange Commission (SEC) is suing the firm. In the lawsuit, the government agency alleges that the company and its executive staff knew their systems’ security was an utter disaster for months, if not years before the data breach…
Recent Posts
- EV tech is trickling down to hybrid and combustion vehicles, and I’m here for it
- X and music publishers quietly settle opposing lawsuits
- How to watch Argentina vs England for FREE: Live Streams & TV Channels for Nations Championship 2026
- GoPro’s discounted Max 2 bundle includes $100 worth of accessories
- The Guardian’s Carter Sherman fondly remembers being terrified by Ocarina of Time
Archives
- July 2026
- June 2026
- May 2026
- April 2026
- March 2026
- February 2026
- January 2026
- December 2025
- November 2025
- October 2025
- September 2025
- August 2025
- July 2025
- June 2025
- May 2025
- April 2025
- March 2025
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023