SEC Targets SolarWinds' CISO for Rare Legal Action Over Russian Hack

In a highly rare move, the SEC sent notice to SolarWinds' CISO, and other specific employees, indicating they may face legal action over Russia's hack of their company.

SEC Targets SolarWinds' CISO for Rare Legal Action Over Russian Hack
Photo: Suzanne Cordeiro/Getty Images

More than three years after Russian hackers compromised SolarWinds and embedded a backdoor in its premier software product, the Securities and Exchange Commission has notified specific employees of the company, including its chief information security officer, that it believes the workers may have violated federal securities laws in a way that could lead the SEC to bring civil enforcement action against them.

In an email that SolarWinds CEO Sudhakar Ramakrishna sent all employees on Friday, first reported by CNN, he revealed that the SEC recently sent so-called “Wells notices” to current and former workers indicating they are in the commission’s sights for potential charges. A Wells notice isn’t a charging document, but is a significant notification to recipients that SEC investigators believe there is evidence they may have violated U.S. federal securities laws, and that the commission is considering bringing civil enforcement action against them. Recipients are given an opportunity to respond to the SEC in writing before a final determination on charges is made.

SolarWinds had already received a Wells notice for the company itself last October, but the notices to the CISO and other employees are new.

In Ramakrishna’s email about the Wells notices, which Zero Day has published in its entirety below, he didn’t name the employees who received the notices. But in an 8-K filing the company submitted to the SEC Friday, it revealed that the recipients included the company’s CISO and its chief financial officer.

Zero Day has confirmed that the notices went to Tim Brown and Barton Kalsu. Brown, who is currently CISO of SolarWinds, was head of security architecture for the company at the time of the breach. Kalsu is the company’s CFO.

If the SEC follows through and takes action against the employees, they could face monetary penalties and be barred from serving as officers or directors of any public company in the future.

Ramakrishna joined the company as CEO only after the breach was discovered and the company submitted its disclosure to the SEC. It’s not known if the company’s former CEO, who left the company two weeks after the company disclosed the breach, received a Wells notice as well.

Ramakrishna didn’t detail in his email what wrongdoing the SEC alleges his employees did. But the SEC had previously told SolarWinds that it found problems with the company’s cybersecurity disclosures and public statements around the breach, as well as with its internal controls and procedures.

Ramakrishna took issue with this characterization.

“Despite our extraordinary measures to cooperate with and inform the SEC [about the incident],” he wrote in his email, “they continue to take positions we do not believe match the facts…. We disagree that any such action is warranted against either the company or any employees, and we will continue to explore a potential resolution of this matter before the SEC makes any final decision.”

If the SEC follows through and takes action against the employees, they could face monetary penalties and be barred from serving as officers or directors of any public company in the future.

In a LinkedIn post this week, Jamil Farshchi, CISO of Equifax, called the Wells notice to the SolarWinds CISO “a really big deal.” In a post titled “Did the stakes just get monumentally raised for CISO’s?” he noted that “the implications are immense.”

“Wells Notices are no joke,” he wrote. “They create massive career hardships — especially if one plans to work for a publicly traded company. For all of us in security, it means the light is shining on us brighter than ever before.”

Mark Rasch, a former Justice Department prosecutor who is now an attorney with Kohrman Jackson and Krantz, said that a Wells notice sent to a CISO is “very rare.” Typically the notifications are related to securities or other financial fraud or activity that would have a material effect on the company’s stock price or value.

“It’s not common for any Wells notice to be sent to a company in relation to cybersecurity,” he told Zero Day.

This is because a CISO’s activities in the past typically didn’t materially impact a company’s value or stock price. But in the era of mega breaches and cyberattacks that affect critical infrastructure, the SEC has recognized that this is changing.

“The SolarWinds breach, like the Colonial Pipeline attack, are systemic and endemic attacks that don’t just impact those companies,” Rasch says. “They impact entire sectors. When you are a company where a breach can impact that much of the population, you have to do a better job.”

Rasch says there are two reasons a company and CISO might receive a Wells notice in connection with a breach.

“One, there is a material fact about the breach that was not disclosed to the SEC — something that would materially impact people’s decisions to invest in the company or affect the value or price of the company; or two, you have a material vulnerability that you knew about and either failed to fix it or failed to disclose it” to the board and regulators.

In other words, the SEC may feel that SolarWinds made false and misleading statements about the scope or impact of the breach or that it made materially false statements in its SEC filings about how secure they were before the breach.

Rasch says CISOs and companies can expect to see more Wells notices in the future. The SEC has shown a commitment to expanding its role in this area.

Last year the SEC nearly doubled the size of its Crypto Assets and Cyber Unit, adding 20 new positions to increase the staff to 50. The unit’s work is aimed at protecting investors who might be impacted by crypto markets or cyber-related threats.

The commission also proposed amendments to its cybersecurity rules for public companies. The new rules would require these companies to periodically disclose information about their policies and procedures related to identifying and managing cybersecurity risks. The companies would also have to provide updates about cybersecurity incidents they’ve previously disclosed as well as information about their management’s role and expertise in assessing and managing cybersecurity risks and implementing cybersecurity policies and procedures.

It’s not clear how SolarWinds’ CISO may have violated federal securities laws. The company disclosed the hack to the SEC and the public within 24 hours after learning of the breach. But the hack succeeded because the company had failed to fully secure its build environment, something the SEC could argue it should have done.

I wrote a lengthy feature story for this month’s issue of WIRED magazine (available online), detailing how the sophisticated hacking operation went down. (I also separately published a timeline of events for paid subscribers of Zero Day.)

The Russian hackers — the U.S. government has attributed the operation to Russia’s foreign intelligence service, the SVR — breached SolarWinds’ network in early 2019. They first stole the source code for many of the company’s software programs and conducted reconnaissance of its build environment and networks. Then they disappeared for months, presumably to study the code and design a seamless method to compromise one of its programs.

They chose the company’s Orion software, a tool used by many of the top agencies in the federal government, as well as titans of tech and other industries, to configure and manage their networks.

When the hackers returned to SolarWinds’ network in February 2020, they deposited an implant on the company’s build server that automatically injected a backdoor into Orion software any time the company prepared a new update to send to customers.

That backdoor, which researchers named “Sunburst”, went out to more than 16,000 customers who downloaded tainted software updates. This included at least nine U.S. federal agencies — including the Justice Department, DHS, and the Departments of Energy and Commerce — as well as Microsoft and numerous other tech giants. Once on those infected networks, the hackers viewed source code of victims, stole email, and potentially siphoned other sensitive data as well. (Because a number of the federal agencies that were compromised did not do adequate logging, sources told me the government doesn’t have a complete understanding of everything the hackers did on infected networks.)

The hackers were able to compromise the Orion software in the way they did because SolarWinds had not implemented secure architecture and processes that could have prevented or detected the operation before the code went out to customers. Experts noted in my WIRED story, however, that few software makers had implemented such security practices at the time of the SolarWinds hack, making them equally vulnerable to the same kind of attack. SolarWinds says it has since re-architected its build process to address this.

With regard to the potential SEC actions against his employees and company, Ramakrishna wrote in his email on Friday, ”We are confident the company always acted appropriately — before and in response to the attack. The U.S. government and the security community have said the cyberattack was carried out…using novel techniques and spy craft the world’s best cybersecurity experts had never seen before.”

He added that “it is widely accepted there was nothing any company could have done to prevent a cyberattack of this scale, sophistication, and novelty.”

Here’s Ramakrishna’s full email to his employees:

From: Sudhakar Ramakrishna
Date: Friday, June 23, 2023 at 3:08 PM
To: 
Subject: Transparency and Collaboration — Our Commitment to Secure by Design

TRANSPARENCY AND COLLABORATION — OUR COMMITMENT TO SECURE BY DESIGN

Dear Solarians,

The SUNBURST cyberattack may seem well behind us now, and we have come a long way on our journey to full recovery. Thanks to your commitment and efforts, we have won back the trust of our customers and resolved many legal matters associated with the incident. Teams who dedicated considerable time to remediation and investigation have largely returned to their regular course of business, and we have made our product security controls stronger than ever through our Secure by Design initiative. The progress our company has made has been nothing short of remarkable.

However, the Securities and Exchange Commission (SEC) investigation into SUNBURST and the company continues and could cause a distraction in the coming months. Despite our extraordinary measures to cooperate with and inform the SEC, they continue to take positions we do not believe match the facts. Recently, SEC staff notified some of our former and current employees that they are considering bringing legal action against these employees along with the company. We disagree that any such action is warranted against either the company or any employees, and we will continue to explore a potential resolution of this matter before the SEC makes any final decision. And if the SEC does ultimately decide to initiate any legal action, we intend to vigorously defend ourselves.

We are confident the company always acted appropriately—before and in response to the attack. The U.S. government and the security community have said the cyberattack was carried out against SolarWinds and other technology companies by a determined nation-state actor—identified as Russia by the White House—using novel techniques and spy craft the world’s best cybersecurity experts had never seen before. It is widely accepted there was nothing any company could have done to prevent a cyberattack of this scale, sophistication, and novelty.

Moreover, we responded transparently to the attack and effectively supported our customers and other stakeholders. The security community and many government officials in the U.S. and worldwide have praised our response and our commitment to transparency and information-sharing.

This praise is evidence of the industry's confidence in us today. Our own Tim Brown was named CISO of the Year by hundreds of his peers and fellow cybersecurity experts. SC Media recently said SolarWinds “may be one of the most secure software companies.” In our recent panel on Capitol Hill, Representative Darrell Issa (R-CA), Representative Raja Krishnamoorthi (D-IL), and CISA Executive Assistant Director for Cybersecurity Eric Goldstein all commended our commitment to public-private partnerships and championing industry collaboration. A replay of this panel will be available Wednesday, June 28, and I encourage you to watch it to see how many in our government support our efforts.

Our approach to addressing SUNBURST followed—-and has bolstered important industry norms, including:

         Responsible disclosure: Disclosing responsibly —- precisely as
         we did —- is paramount to the industry’s security and protected
         our customers.

         Transparent communication: Confirming and sharing information
         is vital to building trust, identifying solutions, and aiding
         others in protecting themselves.

         Public-private partnerships: Improving our community vigilance
         against cyber threats through two-way collaboration is
         essential. Effective public-private partnerships are the only
         way to prevent nation-state attacks such as SUNBURST.

In short, in the face of this extraordinary attack, we responded with courage, transparency, and integrity, raising the bar for other companies in our industry.

As the SEC process continues to move forward, it is important that we not lose sight of our past progress or become distracted from our present mission. Our focus should remain on the importance of our work and on providing the highest level of service to our customers. We will continue to conduct ourselves in line with our principles of humility, transparency, and collaboration—the same principles that helped us build a great company and successfully address SUNBURST.

With gratitude,

Sudhakar Ramakrishna

Update: This story previously named the CISO as Chris Brown. His first name is Tim.

See related coverage:

The Untold Story of the Boldest Supply Chain Hack Ever

The DoJ Detected the SolarWinds Hack Six Months Before Previously Disclosed

Timeline of the SolarWinds Hack and Investigation (paid Zero Day subscribers only)

How Volexity Discovered the SolarWinds Hacking Campaign (paid Zero Day subscribers only)

If you found this article useful or interesting, feel free to share it with others.

Zero Day is a completely reader-supported publication. If you found this story valuable you can support my work by becoming a paid subscriber; or if you prefer, you can subscribe for free:

You can also give a gift subscription to someone else: