US Financial Regulator ‘Carrying Out Massive SolarWinds Probe’

The US financial regulator is reportedly engaging in a lage-scale probe into the effects of the SolarWinds hack that affected companies around the world.

The investigation is worrying to large US companies, who fear the information they disclose to the Securities and Exchange Commission (SEC) could expose them to liability, Reuters reported.

The SEC’s enforcement staff have reportedly sent letters to hundreds of companies, including those in the technology, finance and energy sectors, asking for data.

The letters ask for companies that downloaded infected SolarWinds software to disclose “any other” data breach or ransomware attack since October 2019.

Espionage

The infected SolarWinds Orion software, said by US authorities to have been hacked by a Russian government-backed group, was released from March to June 2020, but the hack was not discovered until late last year.

US authorities have characterised the attack, which breached a number of US government agencies, as an act of conventional government espionage.

The infected Orion updates were downloaded by around 18,000 SolarWinds Orion users, SolarWinds has said in an SEC filing, although hackers are thought to have actively attacked a small subset of those.

The US’ Department of Homeland Security has said about 100 organisations were actively attacked, with about two dozen companies having been publicly identified to date, including Microsoft, Cisco, FireEye and Intel.

Unreported breaches

The SEC’s investigation is likely to reveal many previously unreported cyber incidents, unnamed sources told Reuters.

“Most companies have had unreported breaches since then,” an unnamed consultant told the news agency.

“What companies are concerned about is they don’t know how the SEC will use this information,” the consultant added.

Companies are already obliged to disclose any cyber-incidents that are material to investors, and the requests are voluntary.

The SEC told companies in the letters they would not be penalised if they share data about the SolarWinds incident voluntarily, but did not extend the amnesty to other compromises or breaches they might disclose.

Data-gathering

The SEC said the intent of the investigation is to find other breaches relevant to the SolarWinds hack.

The letters were initially sent in June, with a second round sent in August to companies that had not responded.

To date the effect of the massive hacking campaign remains largely unknown, with many companies saying in regulatory filings simply that their internal investigations into it are ongoing.