SolarWinds Hack: Wide-Ranging SEC Probe Sparks Fear in Corporate America

People familiar with the inquiry say the requests may reveal numerous unreported cyber incidents unrelated to the Russian espionage campaign.

Advertisement
By Reuters | Updated: 10 September 2021 14:43 IST
Highlights
  • Cyberattacks have grown in both frequency and impact
  • US officials have faulted companies for failing to disclose such events
  • Cybersecurity has risen to the top of the agenda for Biden administration
SolarWinds Hack: Wide-Ranging SEC Probe Sparks Fear in Corporate America

About 18,000 clients of SolarWinds downloaded a hacked version of its software

A US Securities and Exchange Commission investigation into the SolarWinds Russian hacking operation has dozens of corporate executives fearful information unearthed in the expanding probe will expose them to liability, according to six people familiar with the inquiry.

The SEC is asking companies to turn over records into "any other" data breach or ransomware attack dating back to October 2019 if they downloaded a bugged network-management software update from SolarWinds, which delivers products used across corporate America, according to details of the letters shared with Reuters.

People familiar with the inquiry say the requests may reveal numerous unreported cyber incidents unrelated to the Russian espionage campaign, giving the SEC a rare level of insight into previously unknown incidents that the companies likely never intended to disclose.

"I've never seen anything like this," said a consultant who works with dozens of publicly traded companies that recently received the request. "What companies are concerned about is they don't know how the SEC will use this information. And most companies have had unreported breaches since then." The consultant spoke on condition of anonymity to discuss his experience.

Advertisement

An SEC official said the request's intent was to find other breaches relevant to the SolarWinds incident.

The SEC told companies they would not be penalised if they shared data about the SolarWinds hack voluntarily, but did not offer that amnesty for other compromises.

Advertisement

Cyberattacks have grown in both frequency and impact, prompting deep concern in the White House over the last year. US officials have faulted companies for failing to disclose such events, arguing that it conceals the extent of the problem from shareholders, policymakers and law enforcement looking for the worst offenders.

People familiar with the SEC investigation told Reuters the letters went to hundreds of companies, including many in the technology, finance and energy sectors, thought to be potentially affected by the SolarWinds attacks. That number exceeds the 100 that the Department of Homeland Security said had downloaded the bad SolarWinds software and then had it exploited.

Advertisement

Since last year, only about two dozen firms have been publicly identified as impacted, including Microsoft, Cisco Systems, FireEye, and Intel. Of those contacted for this story only Cisco confirmed receiving the SEC letter. A Cisco spokesperson said it has responded to the SEC's request.

Cybersecurity research has also suggested software maker Qualys and oil energy company Chevron Corp were among those targeted in the Russian cyber operation. Both declined to comment on the SEC investigation.

About 18,000 clients of SolarWinds downloaded a hacked version of its software, which the cybercriminals manipulated for potential future access. Yet only a small subset of those customers saw follow-on hacking activity, suggesting the attackers infected far more companies than they ultimately victimised.

The SEC sent letters last month to companies believed to have been affected, following an initial round sent in June, according to six sources who have seen the letters.

The second wave of requests were addressed to recipients at companies from the first round who had not responded. The exact number of recipients is unclear.

The current probe is “unprecedented” in terms of the lack of clarity over the SEC's goal in such a large sweep, said Jina Choi, a partner at Morrison & Foerster and former SEC director who has worked on cybersecurity cases.

Though the SEC issued guidance a decade ago calling for companies to disclose hacks that could be material, then updated that guidance in 2018, most admissions have been vague.

Gary Gensler, who took the helm at the SEC in April, has tasked the agency with issuing new disclosure requirements ranging from cybersecurity to climate risk.

While the hack was first reported by Reuters more than nine months ago, the actual impact of the wide-scale digital spying operation, which US officials say came from a Russian intelligence service, remains largely unknown.

Government officials have shied away from sharing a comprehensive account of what was stolen or what the Russians were after, but described it as traditional government espionage.

Scores of companies have referred to the hacks in SEC filings, but many cite the events only as an example of the sort of intrusion they might one day experience. Most that say they had SolarWinds software installed add that they do not believe their most sensitive data was taken.

John Reed Stark, former head of the SEC's office of internet enforcement, said “companies will struggle to answer these questions – not just because these are broad, sweeping and all-encompassing requests, but also because the SEC is bound to discover some sort of mistake" in what they've previously disclosed.

© Thomson Reuters 2021


How will India's new liberalised drone rules impact the industry? And where are they left wanting? We discussed this on Orbital, the Gadgets 360 podcast. Orbital is available on Apple Podcasts, Google Podcasts, Spotify, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement

Related Stories

Popular Mobile Brands
  1. Kuberaa Now Available for Streaming on Amazon Prime Video
  1. Hubble Unveils Dark Matter Web in Stunning Abell 209 Galaxy Cluster Image
  2. Magnetic Wave Study Detects Lithium in Mercury’s Exosphere for First Time Ever
  3. Indian Scientists Unravel the Mystery Behind Rare Aurora Over Ladakh
  4. New Climate Model Uncovers Detailed Regional Effects of Global Warming
  5. Yeh Saali Naukri Streaming Now: Know Everything about Cast, Plot, Trailer, and More
  6. Kuberaa Now Available for Streaming on Amazon Prime Video
  7. Practical People Win Now Streaming on Jio Hotstar: What You Need to Know About Zarna Garg's New Comedy Special
  8. Good Boy Now Streaming on Prime Video: Know Everything About This Action Drama Series
  9. Hubble Uncovers Multi-Age Stars in Ancient Cluster, Reshaping Galaxy Origins
  10. sPHENIX at RHIC Delivers First Results, Sets Stage for Quark–Gluon Plasma Studies
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.