Exclusive: Wide-ranging SolarWinds probe sparks fear in Corporate
America
Send a link to a friend
 [September 10, 2021] By
Christopher Bing, Chris Prentice and Joseph Menn
(Reuters) - A U.S. Securities and Exchange
Commission investigation into the SolarWinds Russian hacking operation
has dozens of corporate executives fearful information unearthed in the
expanding probe will expose them to liability, according to six people
familiar with the inquiry.
The SEC is asking companies to turn over records into "any other" data
breach or ransomware attack dating back to October 2019 if they
downloaded a bugged network-management software update from SolarWinds
Corp, which delivers products used across corporate America, according
to details of the letters shared with Reuters.
People familiar with the inquiry say the requests may reveal numerous
unreported cyber incidents unrelated to the Russian espionage campaign,
giving the SEC a rare level of insight into previously unknown incidents
that the companies likely never intended to disclose.
"I've never seen anything like this," said a consultant who works with
dozens of publicly traded companies that recently received the request.
"What companies are concerned about is they don't know how the SEC will
use this information. And most companies have had unreported breaches
since then." The consultant spoke on condition of anonymity to discuss
his experience.
An SEC official said the request's intent was to find other breaches
relevant to the SolarWinds incident.
The SEC told companies they would not be penalized if they shared data
about the SolarWinds hack voluntarily, but did not offer that amnesty
for other compromises.
Cyberattacks have grown in both frequency and impact, prompting deep
concern in the White House over the last year. U.S. officials have
faulted companies for failing to disclose such events, arguing that it
conceals the extent of the problem from shareholders, policymakers and
law enforcement looking for the worst offenders.
People familiar with the SEC investigation told Reuters the letters went
to hundreds of companies, including many in the technology, finance and
energy sectors, thought to be potentially affected by the SolarWinds
attacks. That number exceeds the 100 that the Department of Homeland
Security said had downloaded the bad SolarWinds software and then had it
exploited.
Since last year, only about two dozen firms have been publicly
identified as impacted, including Microsoft Corp, Cisco Systems, FireEye
Inc and Intel Corp. Of those contacted for this story only Cisco
confirmed receiving the SEC letter. A Cisco spokesperson said it has
responded to the SEC's request.
Cybersecurity research has also suggested https://www.netresec.com/?page=Blog&month=2021-01&post=Twenty-three-SUNBURST-Targets-Identified
software maker Qualys Inc and oil energy company Chevron Corp were among
those targeted in the Russian cyber operation. Both declined to comment
on the SEC investigation.
[to top of second column] |
The SolarWinds logo is seen outside its headquarters in Austin,
Texas, U.S., December 18, 2020. REUTERS/Sergio Flores/File Photo
About 18,000 clients of SolarWinds downloaded a hacked version of its software,
which the cyber criminals manipulated for potential future access. Yet only a
small subset of those customers saw follow-on hacking activity, suggesting the
attackers infected far more companies than they ultimately victimized.
The SEC sent letters last month to companies believed to have been affected,
following an initial https://www.reuters.com/technology/us-sec-official-says-agency-has-begun-probe-cyber-breach-by-solarwinds-2021-06-21
round sent in June, according to six sources who have seen the letters.
The second wave of requests were addressed to recipients at companies from the
first round who had not responded. The exact number of recipients is unclear.
The current probe is “unprecedented” in terms of the lack of clarity over the
SEC's goal in such a large sweep, said Jina Choi, a partner at Morrison &
Foerster LLP and former SEC director who has worked on cybersecurity cases.
Though the SEC issued guidance a decade ago calling for companies to disclose
hacks that could be material, then updated that guidance in 2018, most
admissions have been vague.
Gary Gensler, who took the helm at the SEC in April, has tasked the agency with
issuing new disclosure requirements ranging from cybersecurity to climate risk.
While the hack was first reported by Reuters https://www.reuters.com/article/us-usa-cyber-treasury-exclusive-idUSKBN28N0PG
more than nine months ago, the actual impact of the wide-scale digital spying
operation, which U.S. officials say came from a Russian intelligence service,
remains largely unknown.
Government officials have shied away from sharing a comprehensive account of
what was stolen or what the Russians were after, but described it as traditional
government espionage.
Scores of companies have referred to the hacks in SEC filings, but many cite the
events only as an example of the sort of intrusion they might one day
experience. Most that say they had SolarWinds software installed add that they
do not believe their most sensitive data was taken.
John Reed Stark, former head of the SEC’s office of internet enforcement, said
“companies will struggle to answer these questions – not just because these are
broad, sweeping and all-encompassing requests, but also because the SEC is bound
to discover some sort of mistake" in what they've previously disclosed.
(Reporting by Christopher Bing, Chris Prentice and Joseph Menn; Editing by Chris
Sanders and Edward Tobin)
[© 2021 Thomson Reuters. All rights
reserved.] Copyright 2021 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
