The United States Securities and Exchange Commission (SEC) informed the market yesterday that it is fining four companies for intentionally misleading investors about the severity of the SolarWinds breach, which occurred in September 2019 and was revealed in 2020. The companies are Unisys, Avaya, Check Point Software and Mimecast. The attack was conducted by the APT29 group (also known as Cozy Bear or Turla Group, allegedly sponsored by Russia), and compromised the US-based network monitoring company SolarWinds. The compromise resulted in one of the largest supply chain attacks in history, as the group inserted malicious payloads into SolarWinds Orion toolchain updates.
The United States Securities and Exchange Commission announced the following fines:
- Unisys: $4,000,000
- Avaya: $1,000,000
- Check Point Software: $995,000
- Mimecast: $990,000
According to the SEC communication, Unisys, Avaya, and Check Point discovered the breach in 2020, and Mimecast in 2021: The threat actor behind the SolarWinds Orion incident accessed their systems without authorization, but each company “ negligently downplayed its cybersecurity incident in its public disclosures. The SEC’s order against Unisys finds that the company described its risks from cybersecurity events as hypothetical, despite knowing that it had suffered two SolarWinds-related intrusions involving exfiltration of gigabytes of data.”
The note also concludes that “these materially misleading disclosures resulted in part from Unisys’s deficient disclosure controls. The SEC’s order against Avaya concludes that it declared that the threat actor accessed a limited number of email messages from [Empresa]when Avaya knew that the threat actor had also accessed at least 145 files in its cloud sharing environment.
The SEC’s order against Check Point concluded that it knew of the intrusion, but described the cyber intrusions and their risks in generic terms. The order charging Mimecast concludes that the company minimized the attack by not revealing the nature of the code that the threat actor exfiltrated and the number of encrypted credentials that the actor accessed.
See the original post at: CisoAdvisor
