US sues software company targeted in massive Russian cyber espionage campaign

The U.S. on Monday sued a software company targeted in a massive Russian cyber espionage campaign.

The Securities and Exchange Commission (SEC) suit against Texas-based SolarWinds is seeking civil penalties, reimbursement of “ill-gotten gains” and the removal of the company’s top security executive, Tim Brown, according to The Associated Press.

“We allege that, for years, SolarWinds and Brown ignored repeated red flags about SolarWinds’ cyber risks, which were well known throughout the company and led one of Brown’s subordinates to conclude: ‘We’re so far from being a security minded company,’” Gurbir S. Grewal, director of the SEC’s Division of Enforcement, said in a press release.

The December 2020 SolarWinds hack resulted in the breaching of government agencies including the Justice Department and the Department of Homeland Security, as well as more than 100 private companies and think tanks.

The complaint says that in the same month as SolarWinds registered for an initial public offering in late 2018, Brown said in an internal presentation the company’s “current state of security leaves us in a very vulnerable state,” according to the AP.

“… it is alarming that the Securities and Exchange Commission (SEC) has now filed what we believe is a misguided and improper enforcement action against us, representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages,” SolarWinds President and CEO Sudhakar Ramakrishna said in a blog post Monday.

Brown’s lawyer, Alec Koch, said in a statement that his client “has worked tirelessly and responsibly to continuously improve the Company’s cybersecurity posture throughout his time at SolarWinds.”

“[W]e look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint,” Koch continued in a statement emailed to The Hill. 

In an emailed statement, a spokesperson for SolarWinds said that the company is “disappointed by the SEC’s unfounded charges related to a Russian cyberattack on an American company and are deeply concerned this action will put our national security at risk.”

The Associated Press contributed. 

This story was updated at 1:31 p.m.