SolarWinds SUNBURST: SEC Fines Four Companies for Misleading Investors
Between March and December 2020, Russian intelligence service SVR (APT29/Cozy Bear) executed the SUNBURST supply chain attack through compromised SolarWinds Orion software updates, gaining access to approximately 18,000 organizations including U.S. government agencies.
In October 2024, the SEC charged and fined four publicly traded companies--Unisys ($4 million), Avaya ($1 million), Check Point ($995,000), and Mimecast ($990,000)--for making materially misleading disclosures to investors about the impact of the attack.
KEY FACTS
- .What: Russian SVR compromised SolarWinds Orion updates, hitting 18,000 organizations.
- .Who: Unisys, Avaya, Check Point, and Mimecast were fined by the SEC.
- .Data Exposed: 33GB at Unisys; files, credentials, and source code at others.
- .Outcome: SEC fined four companies up to $4M each for misleading disclosures.
WHAT WAS EXPOSED
- .~18,000 organizations installed the trojanized SolarWinds Orion update containing SUNBURST
- .~100 organizations were actively exploited by SVR for intelligence collection
- .Compromised targets included U.S. Treasury, Commerce, DHS, and State departments
- .Unisys: 33GB exfiltrated across two separate intrusions
- .Avaya: 145+ files accessed in cloud file-sharing environment
- .Mimecast: encrypted credentials exfiltrated and source code accessed
The enforcement action established that public companies have an affirmative obligation to provide accurate, specific disclosures about known cybersecurity incidents rather than generic, hypothetical risk language.
Being a victim does not excuse misleading investors about the attack's impact.
SOURCES
SEC Administrative Proceedings (Files 3-22280 through 3-22283), SEC Cybersecurity Disclosure Rules 2023, CISA/NSA/FBI Joint Advisory, FireEye/Mandiant SUNBURST Analysis