The U.S. Securities and Exchange Commission (SEC) and SolarWinds have reached a settlement in principle to resolve litigation stemming from alleged security failings that led to the 2020 compromise of SolarWinds’ Orion platform by Russian cyber operatives. This development, outlined in a letter to Judge Paul Engelmayer of the U.S. District Court for the Southern District of New York, indicates a cessation of the ongoing legal proceedings against SolarWinds and its Chief Information Security Officer, Tim Brown.
The “Sunburst/Solorigate” supply chain incident, which became public in December 2020, involved the introduction of malicious code into the SolarWinds platform by the Russian state hacking group known as Cozy Bear. This compromised code was subsequently pushed to downstream targets as a legitimate software update.
Approximately 20,000 SolarWinds customers downloaded and installed these malicious updates. Among the likely primary targets of this cyberattack were U.S. government entities, including the Department of Energy (DoE) and the National Nuclear Safety Administration (NNSA), the latter responsible for maintaining the U.S. nuclear weapons stockpile.
In their joint letter, SEC and SolarWinds representatives stated that the settlement in principle “would completely resolve this litigation.” This resolution remains subject to review and approval by the SEC’s commissioners. Both parties requested that all pending dates in the case be stayed in anticipation of a planned filing date for the final settlement, which is set for September 12. Judge Engelmayer acknowledged this development as “productive” and has since stayed all deadlines in the case, additionally adjourning oral arguments that were scheduled for later in the month.
A SolarWinds spokesperson commented on the situation, stating, “The settlement is subject to approval by the Commission and we cannot therefore discuss the terms at this time. We are pleased with the potential resolution and happy to focus on driving our business forward without distraction.”
This AI model finds low-emission cement in milliseconds
Last year, Judge Engelmayer dismissed a majority of the SEC’s claims against SolarWinds and Brown. These claims had alleged that the defendants knowingly defrauded investors by overstating the resilience of the organization’s security practices and by understating or failing to disclose known risks.
Specifically, the SEC had claimed that SolarWinds and Brown ignored, covered up, or provided false information to customers regarding connections between various cyberattacks on different Orion users throughout 2020. Judge Engelmayer’s initial dismissal of many charges, including those based on disclosures made after the incident became public, was predicated on the argument that they relied on hindsight and speculation.
However, Judge Engelmayer did sustain several charges. These included specific parts of the SEC’s complaints that alleged public misrepresentations concerning the resilience of SolarWinds’ access controls. The SEC’s recently publicized rules on security incident reporting, which became effective at the end of 2023, focus on actions taken by security leaders following an incident.
These actions followed a January 23 Executive Order from President Trump’s White House, designed to support the cryptocurrency sector. The 2020 attack involved hackers deploying malicious code into SolarWinds’ Orion IT monitoring and management software, utilized by thousands of enterprises and government agencies worldwide.
