SolarWinds – the network monitoring biz thoroughly hacked as part of a wider espionage operation – has been sued by its shareholders who claim bosses failed to tell them about its numerous security woes.
Last month, it emerged the update server used by SolarWinds to distribute its Orion software had been subverted by miscreants to secretly inject a backdoor into the code so that hackers could infiltrate the computers of customers who installed the product. Said customers included tons of government organizations and corporations worldwide. And in a statement on Tuesday, the US government’s National Security Council task force probing the tampering said it was highly likely those miscreants were Russian spies seeking out confidential and vital information.
“This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,” the council’s statement reads.
This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks
“At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”
The task force reckons 18,000 public and private sector orgs downloaded the tainted Orion builds, but that “a much smaller number” suffered further network intrusions via the implanted backdoor. In other words: plenty of IT departments installed the software but the hackers only sneaked into a few places through the hidden security hole. Nevertheless the damage to SolarWinds’ reputation and share price has been great and its stockholders are furious.
Their lawsuit [PDF], filed in Texas and seeking class-action status, alleges SolarWinds’ president Kevin Thompson and its CFO Barton Kalsu violated America’s securities law after they “misrepresented and failed to disclose” critical facts.
Well, on the bright side, the SolarWinds Sunburst attack will spur the cybersecurity field to evolve all over again
The legal challenge points out that when the world learned of the backdooring, it led to a “precipitous decline in the market value of the company’s securities,” which led to “significant losses and damages.” In other words, they lost money when the company’s shares dropped sharply in December when the hack was revealed. The picture has since worsened.
The lawsuit alleges that the software biz had failed to warn shareholders in a timely manner that a backdoor had been planted in its Orion monitoring products from the middle of 2020, which opened up systems used by the US federal government and corporations. Microsoft, for example, said it installed the tainted suite though not on production networks.
The lawsuit also points out that SolarWinds’ update server was at one time only protected by the insanely bad password solarwinds123, which was not a great indication of security being taken seriously.
A little knowledge is a dangerous thing
It further alleges that execs had “actual knowledge of the material omissions and/or the falsity of the material statements” and intended to “deceive plaintiff… or, in the alternative, acted with reckless disregard for the truth when they failed to ascertain and disclose the true facts in the statements made by them.” The argument is that by failing to disclose its true security situation, the company’s share price was being “artificially inflated.”
In its quarterly filings with the SEC, SolarWinds included the standard boilerplate warning to investors about its cybersecurity efforts: that there was an increase in the “number, intensity and sophistication of attempted hacks and intrusions from around the world,” and that as a result it “may be unable to anticipate these techniques or to implement adequate preventative measures.” As a result, SolarWinds’ software could be breached and lead to a “severe reputational damage adversely affecting customer or investor confidence.”
SolarWinds releases known attack timeline, new data suggests hackers may have done a dummy run last year
The question that the lawsuit is likely to dig into is whether that warning was sufficient or whether execs knew things were potential far worse and failed to relay that information properly.
The lawsuit references reports three days after the hack became public in which security researcher Vinoth Kumar said he had “alerted the company that anyone could access SolarWinds’ update server by using the password ‘solarwinds123.’” The lawsuit also notes that days after the hack was revealed, the compromised Orion software updates were still on SolarWinds’ website, though we note they were no longer directly linked from any webpages.
The lawsuit wants damages for “reasonable costs and expenses incurred” as well as lawyers’ fees and any fines a court may put on the company though doesn’t put a dollar figure on it. ®