SolarWinds revealed the Securities and Exchange Commission (SEC) is examining cybersecurity disclosures and public statements the company and its executives made after its massive 2020 data breach caused by hackers backed by the Russian government.
SolarWinds disclosed Thursday in a Form 8-K the SEC sent it a Wells Notice informing the company the agency intends to file an enforcement action “alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures.” There was no additional information available about what the alleged violations were.
In the same disclosure, SolarWinds disclosed it entered into a binding settlement term sheet with class-action litigants to offer $26 million to settle a lawsuit related to harms caused to SolarWinds customers because of the breach. The settlement would “fund claims submitted by class members, the legal fees of plaintiffs’ counsel, and the costs of administering the settlement.”
SolarWinds was sued by two pension funds in U.S. District Court in Delaware in November 2021.
In December 2020, hackers backed by Russia were reported to have infiltrated SolarWinds, which provided network management software to hundreds of large companies and government agencies. The hackers implanted malicious code within a software update to SolarWinds Orion products, allowing hackers to gain a foothold in the network and access elevated credentials, according to Microsoft’s analysis of the attack. Once implanted, the software connected to a server controlled by the hackers, allowing them to launch further attacks against SolarWinds customers and steal their data.
Some reports said the Russian-backed hackers may have gained access to SolarWinds systems as early as September 2019 or early 2020. The breach eventually compromised about 100 companies and a dozen government agencies, a SolarWinds executive told NPR in April 2021. The companies included Microsoft, Intel, and Cisco, while federal agencies affected included the Treasury, Justice, and Energy Departments, as well as the Pentagon. Eventually, the list of organizations affected also included defense contractors, tech companies, telecoms, banks, and more.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering all federal agencies to immediately disconnect the affected Orion products from their networks. Companies were similarly urged to disconnect affected products, as well as to identify if their third parties were compromised and take steps to address cybersecurity vulnerabilities in their supply chains.
In an April 2021 executive order, President Joe Biden would later declare the Russian Foreign Intelligence Service as “the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform and other information technology infrastructures.”