SolarWinds investors have sued the company‘s directors, alleging that they knew about the cyber security risks to the firm, but failed to implement or oversee any reasonable monitoring system ahead of the last year‘s massive hack.
The breach enabled threat actors to compromise at least nine US government agencies and hundreds of private firms after exploiting a security bug in SolarWind‘s software.
The derivative lawsuit was filed in Delaware Chancery Court by the Construction Industry Laborers Pension Fund, the Central Laborers‘ Pension Fund, and two individual SolarWinds investors on 4th November.
It names a mix of current and former directors as defendants, accusing them of turning a blind eye to widespread warnings before the hack about “heightened risk” of “supply chain” attacks on cybersecurity firms themselves.
“These oversight failures had grave consequences,” it says.
The lawsuit seeks damages on behalf of the firm and to reform its policies on cyber-security oversight.
A SolarWinds spokesman told Bloomberg Law that the company does not comment on pending litigation, but the “action is similar to a purported derivative lawsuit filed earlier this year.”
“More importantly, we continue to focus on deepening our relationships with customers and openly discussing our Secure by Design initiatives as we look to set the standard for secure software development,” the spokesperson added.
SolarWinds has previously said it is cooperating with the US Securities and Exchange Commission (SEC), Department of Justice, and other agencies over investigations into the breach.
The company has also moved to dismiss another shareholder lawsuit seeking damages for a decline in its share price.
The SolarWinds attack, which sent shockwaves through the USA and around the world, was disclosed in December 2020, after the US Treasury Department and the US Department of Commerce’s National Telecommunications and Information Administration (NTIA) were compromised in a massive cyber campaign.
An investigation revealed that the hackers managed to breach the networks of multiple organisations after compromising SolarWinds’ network monitoring software Orion.
The software was widely used by government departments and private companies.
The attackers inserted malicious code into legitimate software updates for the Orion, which allowed them remote access into the victim’s environment.
The White House blamed Russia for the intelligence coup and sanctioned several Russian officials and organisations in April. Russia has denied the allegations, saying it had no involvement in the hack.
In June, the US Cybersecurity and Infrastructure Security Agency (CISA) acting director Brandon Wales acknowledged in a letter to Senator Ron Wyden that implementing basic security measures could have helped deter or minimise the massive hack.
Wales noted that firewalls placed in computer networks of victim organisations could have helped block the malware used in the SolarWinds attack.
Last month, Microsoft said that SolarWinds hackers were back and attacking supply chains.
The company noted that the Russia-linked hacking group Nobelium, which has been blamed for the SolarWinds intrusion, was targeting key players in the global IT supply chain as part of a new campaign.
This time, the threat group was seen attacking a different part of the supply chain: resellers and other tech service providers who assist end users in customising, deploying and managing cloud services and other technologies.
Microsoft believes Nobelium ultimately hopes “to piggyback on any direct access that resellers may have to their customers’ IT systems and more easily impersonate an organisation’s trusted technology partner to gain access to their downstream customers.”