In a new wrinkle in the still-unfolding SolarWinds saga, it seems that some of the company’s top investors sold off close to a collective $280 million dollars in stock just days before the news of its role in a far-reaching federal cyberattack became public.
That’s according to a new Washington Post report that specifically calls out two investment firms—Silver Lake and Thoma Bravo—that together own a whopping 70% of all SolarWind’s stock and controlled six of the company’s board seats. The two firms sold off, respectively, $158 million dollars and $128 million dollars in shares on December 7—six days before SolarWinds disclosed that some of its monitoring products were subject to a “highly-sophisticated” attack at the hands of an unnamed nation state.
Interestingly enough, these sales also happened just days before the company’s longterm CEO, Kevin Thompson, announced his resignation after close to 10 years with the company.
The sequence of events could raise eyebrows among enforcement officials, considering how SolarWinds’s stock took a tumble of about 22% in the immediate aftermath of the breach. Jacob S. Frenkel, as former senior counsel at the SEC told The Post, large trades in advance of any major announcement—like a change in leadership or the disclosure of a major breach—is “a formula for an insider trading investigation.” A probe like this could take up to a year, he added.
Just to briefly review how SolarWinds ended up in the cyber spotlight: on December 8th, the cybersecurity firm FireEye disclosed that it had fallen victim to a cyberattack that, as CEO Kevin Mandia said in a blog post at the time, ultimately resulted in some high-profile hacking tools getting hijacked from the company. Mandia didn’t speculate publicly on who was behind the attack, but White House officials have pointed to Russian Intelligence agencies as a potential culprit, according to separate reports by The Post and The Times.
Ultimately, the attack was traced to a backdoor that was built into Orion—an IT management platform that SolarWinds produces, which some industry sources told The Wall Street Journal formed the foundational “plumbing” for an untold number of companies. In a filing with the SEC, SolarWinds stated that it earned roughly $343 million in the first nine months of this year from its myriad Orion products. In total, that accounted for close to 45% of the company’s revenue for that period.
In the aftermath of the attack, SolarWinds disclosed that of the 33,000 Orion platform users, “fewer than 18,000" downloaded an update during March and June of this year that came surreptitiously packaged with malware, according to the company. Aside from FireEye, Reuters later reported that the SolarWinds backdoor was used to breach systems belonging to the Department of Homeland Security, Treasury and Commerce, among others.
The same day that SolarWinds issued its disclosure, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive stating that this compromise posed “unacceptable risks” to the overall safety and security of federal networks.
In a joint statement to The Post, representatives from both Silver Lake and Thomas Bravo said that the stock sales resulted from a “private placement” with a single investor, and that neither were aware of the impending cyber attack prior to entering that deal. We’ve reached out to SolarWinds for comment and will update here when we hear back.