Judge tosses most of SEC's lawsuit against SolarWinds

A judge dismissed most of the U.S. Securities and Exchange Commission's lawsuit against SolarWinds, which claims the software company and its CISO Timothy Brown committed fraud in connection with 2020's devastating supply chain attacks.

The SEC filed the lawsuit against SolarWinds and Brown in October 2023, claiming they misled investors about the company's cybersecurity practices. SolarWinds responded about a week later with a statement that called the agency's lawsuit "fundamentally flawed" and denied several aspects of the SEC's accusations.

On Thursday, U.S. District Judge Paul Engelmayer partially granted SolarWinds' motion to dismiss the suit, throwing out all charges stemming from the company's statements and disclosures that followed the initial revelation of the nation-state attacks in late 2020. Englemayer split the charges between SolarWinds "pre-Sunburst" and "post-Sunburst" disclosures, which refers to the custom malware that Russian threat actors injected into software updates for the company's Orion IT management software.

"As to post-SUNBURST disclosures, the Court dismisses all claims," Englemayer wrote in Thursday's order. "These do not plausibly plead actionable deficiencies in the company's reporting of the cybersecurity hack. They impermissibly rely on hindsight and speculation."

Englemayer also tossed an "ill-pled" charge from the SEC related to SolarWinds' internal accounting and disclosure procedures.

But while the post-Sunburst charges were dismissed, Englemayer ruled that some pre-Sunburst charges against SolarWinds and Brown can proceed. Those charges related to statements and disclosures between 2017 and late 2020, including the company's "Security Statement" published on its website in late 2017.

In fact, Englemayer's order said the SEC's amended complaint "plausibly alleges that Solar Winds and Brown made sustained public misrepresentations, indeed many amounting to flat falsehoods, in the Security Statement about the adequacy of its access controls.

"Given the centrality of cybersecurity to SolarWinds' business model as a company pitching sophisticated software products to customers for whom computer security was paramount, these misrepresentations were undeniably material," Englemayer wrote.

A SolarWinds spokesperson provided the following statement to TechTarget Editorial:

"We are pleased that Judge Engelmeyer has largely granted our motion to dismiss the SEC's claims. We look forward to the next stage, where we will have the opportunity for the first time to present our own evidence and to demonstrate why the remaining claim is factually inaccurate. We are also grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns, with which the court agreed."

The SolarWinds breach and resulting supply chain attacks represented a watershed moment for cybersecurity. An advanced persistent threat (APT) group breached SolarWinds network and used the Orion updates to push malicious code, including backdoors, out to thousands of the company's customers. The threat actors used the backdoors to gain access to dozens of customer networks, including those of several U.S. federal agencies.

The attacks were attributed to APT29, a Russian nation-state threat group also known as Cozy Bear and Midnight Blizzard. The notorious APT is responsible for several other high-profile attacks, including the recent breach of Microsoft's corporate network.

Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.