SolarWinds SUNBURST: SEC Fines Four Companies for Misleading Investors Between March and June 2020, Russian intelligence service SVR (APT29/Cozy Bear) distributed trojanized SolarWinds Orion software updates as part of the SUNBURST supply chain attack, with exploitation continuing until discovery in December 2020. The campaign gained access to approximately 18,000 organizations including U.S. government agencies.
KEY FACTS
- WhatRussian SVR compromised SolarWinds Orion updates, hitting 18,000 organizations.
- WhoUnisys, Avaya, Check Point, and Mimecast were fined by the SEC.
- Data Exposed33GB at Unisys; files, credentials, and source code at others.
- OutcomeSEC fined four companies up to $4M each for misleading disclosures.
WHAT WAS EXPOSED
- ~18,000 organizations installed the trojanized SolarWinds Orion update containing SUNBURST
- ~100 organizations were actively exploited by SVR for intelligence collection
- Compromised targets included U.S. Treasury, Commerce, DHS, and State departments
- Unisys: 33GB exfiltrated across two separate intrusions
- Avaya: 145+ files accessed in cloud file-sharing environment
- Mimecast: encrypted credentials exfiltrated and source code accessed
The enforcement action established that public companies have an affirmative obligation to provide accurate, specific disclosures about known cybersecurity incidents rather than generic, hypothetical risk language. Being a victim does not excuse misleading investors about the attack's impact.
SOURCES
SEC Administrative Proceedings (Files 3-22280 through 3-22283), SEC Cybersecurity Disclosure Rules 2023, CISA/NSA/FBI Joint Advisory, FireEye/Mandiant SUNBURST Analysis