The Securities and Exchange Commission (SEC) is dropping its case against SolarWinds and its chief information security officer (CISO), Timothy G. Brown.
In a brief press release, the SEC says that it has filed a joint stipulation with SolarWinds and its CISO to dismiss the Commission’s civil enforcement action.
“In the exercise of its discretion,” the market supervisor doesn’t give any insight into why it dropped the case.
“We fought with conviction, arguing that the facts demonstrated our team acted appropriately. This outcome is a welcome vindication of that position. With the case now resolved, we look forward to focusing without distraction on delivering exceptional value to our customers through our market-leading software and solutions, emphasizing security and innovation at every step,” a SolarWinds spokesperson told CyberScoop.
An SEC spokesperson declined to comment.
The SolarWinds incident was uncovered in December 2020 by cybersecurity firm FireEye. The company reported at the time that hackers had managed to steal scripts, scanners, and tools that could be used to carry out cyberattacks.
This enabled Russian hackers to penetrate SolarWinds’ corporate network and carry out a supply chain attack.
The perpetrators exploited a vulnerability in Orion Network Management Tools, which is software used for remotely monitoring corporate networks, databases, servers, and web applications. This tool was developed by SolarWinds. By adding a backdoor called SunBurst to this software, hackers were able to infiltrate political institutions, local governments, and companies worldwide.
Numerous organizations were targeted, including the US Department of the Treasury, Homeland Security, Justice, and Microsoft. At Microsoft, the attackers gained access to the source code of at least three products: Azure cloud software, Exchange Mail and Calendar Server software, and Intune Management software.
At the end of 2023, the SEC initiated a civil enforcement action against SolarWinds and its CISO. The company and its CISO were accused of concealing information about the hack, thereby violating US stock exchange regulations.
The threat of personal liability for senior executives caused concern among experts and CISOs worldwide. The proceedings would hurt the disclosure of security incidents, place enormous pressure on security managers, and influence career choices, potentially leading to a shortage of security experts, they claimed.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked