Judge mostly drags SEC's lawsuit against SolarWinds into the recycling bin
Russia-invaded software biz 'grateful for the support we have received'
A judge has mostly thrown out a lawsuit brought by America's financial watchdog that accused SolarWinds and its chief infosec officer of misleading investors about its computer security practices and the backdooring of its Orion product.
In a Thursday ruling [PDF], US federal district Judge Paul Engelmayer dismissed all of the so-called "post-SUNBURST" claims the SEC levied against SolarWinds. That is to say, all the claims against SolarWinds for what followed the 2019-2020 SUNBURST attack.
SUNBURST is the code-name for some technologically top-notch backdoor malware Russian spies planted in the IT network monitoring software suite Orion after the snoops gained access to SolarWinds' internal infrastructure.
Orion is used by some 18,000 orgs including Microsoft and US government departments of State, Treasury, Homeland Security, and Commerce, making this a classic supply-chain attack. Infect a product a lot of valuable targets use so that when they come to deploy that compromised code in their networks, now you have remote-control access to those systems.
In its lawsuit, the SEC alleged SolarWinds and CISO Timothy Brown underhandedly played down the scope and severity of the cyberattack to the world, which included investors. Following a motion by SolarWinds to have those allegations binned, Judge Engelmayer rejected those particular claims in his 107-page opinion.
"These do not plausibly plead actionable deficiencies in the company's reporting of the cybersecurity hack," Engelmayer wrote. "They impermissibly rely on hindsight and speculation."
The judge also tossed out the SEC's claims relating to SolarWinds' internal accounting and disclosure controls and procedures.
- SolarWinds says SEC sucks: Watchdog 'lacks competence' to regulate cybersecurity
- SolarWinds charged after SEC says biz knew IT was leaky ahead of SUNBURST attack
- SolarWinds slams SEC lawsuit against it as 'unprecedented' victim blaming
- Uber ex-CSO Joe Sullivan: We need security leaders running to work, not giving up
Engelmayer did, however, sustain the regulator's claims of securities fraud based on SolarWinds' pre-SUNBURST statement about the security of its Orion product. Those allegations being:
The SEC contends SolarWinds hid the fact that its products and practices had porous cybersecurity. The SEC contends that the company's hype misled the investing public to believe that SolarWinds' central software product had minimal vulnerability to cyberattacks.
Other statements and filings made by SolarWinds supported the SEC's claims regarding the developer's "porous" security, the judge noted. These charges will proceed, and there's no word on whether the SEC will appeal the ruling.
A SEC spokesperson declined to comment on the judge's opinion. SolarWinds, however, applauded the decision.
"We are pleased that Judge Engelmeyer has largely granted our motion to dismiss the SEC's claims," a SolarWinds spokesperson told The Register. "We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate."
The spokesperson also said the company is "grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed." ®