SolarWinds is being sued by shareholders, who accuse it of not having given sufficient details on the state of its security. For its part, the company argues that given the complexity of the cyberattack it suffered, it was not possible for it to anticipate it.
9 months later, the SolarWinds case is still being sued. A quick reminder of the facts: hackers managed to sneak discreetly into the production engine of the company’s flagship software, Orion, at the end of 2019. They used access to this server in charge of updates to the network management tool to insert malware – dubbed Sunburst. Because SolarWinds did not detect the infection, it itself sent a infected version of Orion to over 18,000 organizations between March and June 2020. In jargon, this method is known as the “supply chain”. attack ”.
Once Sunburst was deployed to Solarwinds customers, hackers had to manually activate the second stage of their attack, and they only targeted a few dozen organizations out of the thousands affected. Sunburst was only a Trojan horse intended to allow them to break into the networks of their main targets: the US government, the European Union or large tech companies like Microsoft and Malwarebytes. All this manipulation was first discovered in December 2020 by the cybersecurity company FireEye.
As early as the following month, in January 2021, some of the company’s shareholders launched legal proceedings in January 2021. The plaintiffs claim that they were not properly informed by the leaders of the time on the state of the company’s security before the Russian attack. CEO Kevin Thompson – whose departure was scheduled before the scandal was discovered – and CFO Barton Kalsu reportedly ” distorted and failed to disclose Part of the critical details of the case. The security position of the company was not clear to the shareholders, the share price would, according to them, have been unduly found ” inflated “. The document (posted online by TheRegister) states that the ad generated a ” precipitous decline in action “, Which led to” significant loss and damage. “
In the numbers, the SolarWinds share price has slumped from nearly $ 25 to less than $ 15 in the wake of the revelations. And it was only very recently that he again approached his pre-attack value. Reuters also reports that the first version of the complaint accused Kevin Thompson of cutting some cybersecurity budgets in an attempt to deliver bigger dividends to the group’s two largest shareholders, who held 40% of the shares between them. The plaintiffs ask for damages, without specifying the amount.
“We could not anticipate”
For its part, SolarWinds pleads that it would be ” victim of one of the most sophisticated cyberattacks in history “, And that” sophisticated cybercrime Should not be distorted into a story of security breaches, as The Register spotted. Indeed, to support their cause, the plaintiffs cite the history of the password “solarwinds123”, which resurfaced when the attack was discovered. Researcher Vinoth Kumar claimed he found the simplistic password in November 2019 on a misconfigured GitHub repository. The identifier would have allowed him to access the SolarWinds server targeted by the Russian attack, but a few months before the latter. Still, the link between this incident and the supply chain attack has never been proven. For its part, SolarWinds says that it fixed the incident on the spot, and it recalls that the link of the password with the production engine has not been proven by the legal team of investors.
The company is now asking federal justice to take into account the exceptional nature of the cyberattack suffered, and not to follow up on the complaint. If the term ” most sophisticated in history Can be argued, SolarWinds has indeed suffered an extraordinary attack. According to several private investigations and that of the White House itself, the attack is attributed to the SVR, a branch of Russian intelligence, which relies on high-level hacker teams. Reports note, for example, the excellent ability of malware launched against SolarWinds to bypass detection tools. The group thus affirms that it “ could not anticipate these techniques and put in place adequate preventive measures “. It is now up to the federal justice to assess its defense.