Testimony Request Targets Cybersecurity Concerns Raised by Ex-SolarWinds Engineer
Federal regulators want to obtain oral testimony from a former SolarWinds engineer who documented concerns over a network vulnerability tied to VPN access and unmanaged devices.
See Also: OnDemand | Where Did the Hackers Go? They Ran(somware): Insights into Ransomware Recovery
The U.S. Securities and Exchange Commission wants to get assistance from the Czech Republic's Ministry of Justice in securing testimony from Robert Krajcir, who used to work at SolarWinds and resides in the Czech Republic. The SEC said it offered to depose Krajcir voluntarily in Germany or at the U.S. Embassy in Prague, but Krajcir - who's represented by SolarWinds' legal counsel - has declined those options.
District Judge Paul Engelmayer has ordered SolarWinds and Brown to respond to the SEC's request for foreign judicial assistance by Friday, with any reply from the SEC due by Nov. 15. If Judge Engelmayer allows the SEC to proceed with its request, the agency will ask the Czech Ministry of Justice to respond within 60 days so that the SEC can gather testimony from Krajcir well in advance of an expected 2025 trial date (see: Why SEC, SolarWinds Eye Settlement Talks in Cyber Fraud Case).
The SEC said SolarWinds and CISO Tim Brown committed securities fraud by publicly mispresenting the company's cybersecurity practices between October 2018 and December 2020. Testimony from Krajcir is vital for offering insight into network access control and VPN vulnerabilities that undermine SolarWinds' security claims. SolarWinds declined to comment, while Brown and Krajcir didn't respond to inquiries from Information Security Media Group.
The SEC said SolarWinds publicly claimed only essential access rights were granted to employees and contractors. However, the SEC alleges SolarWinds allowed broad access privileges across its network, contradicting its public statements. Since Brown knew of systemic security vulnerabilities, the SEC said inconsistencies between SolarWinds' statements and its internal security posture misled investors (see: Judge Dismisses Most SEC Fraud Claims Against SolarWinds).
Regulators want Krajcir to testify about a particular vulnerability he found related to SolarWinds' VPN access, which enabled unmanaged devices to connect to the network. The SEC said Krajcir referred to this as a "security gap" that went unresolved despite multiple attempts to address it with SolarWinds' management. Krajcir's recommendations were met with reluctance or resistance, the SEC alleges.
The SEC said Krajcir's perspective on network management and cybersecurity practices during his employment at SolarWinds are unique and unobtainable from other sources. The Czech Republic and U.S. are both signatories to a legal framework that allows U.S. courts to seek evidence from people living abroad, and the SEC said its request is routine and aligns with international cooperation agreements.
In emails from summer 2018, Krajcir noted that anyone with Active Directory credentials could access SolarWinds' corporate WiFi and VPN from any device, including personal or unmanaged devices that were not part of the company's domain. Krajcir said devices connecting via VPN could bypass security checks, potentially downloading harmful content or spreading malware without detection.
To mitigate these vulnerabilities, Krajcir suggested using certificates to authenticate devices connecting to the VPN and reducing user privileges to prevent them from installing unauthorized software. Despite his efforts, Krajcir's emails from summer 2018 indicate that his recommendations were either delayed or not fully implemented, which the SEC said reflects a disregard for security risks at the managerial level.
A presentation Krajcir created in August 2018 noted an absence of restrictions on unmanaged devices, an inability to monitor what devices are connected to the network, and a lack of options to enforce user identity verification. Krajcir said unmanaged devices had the same level of access as corporate devices, allowing them to access critical systems and potentially introduce malware into the core network.
Krajcir's email exchanges were met with limited action and skepticism, with one colleague questioning the need for such strict security controls, expressing concern over the practicality of Krajcir's proposed machine authentication measures. Other responses questioned the enforcement of certificate-based authentication, specifically around whether users would be able to export certificates from their machines.
The SEC argues that Krajcir's emails and presentation indicate that SolarWinds was aware of but failed to address substantial security vulnerabilities, even as it publicly assured investors of secure operations. Krajcir's perspective as a network engineer responsible for cybersecurity would provide critical insights into the discrepancy between SolarWinds' internal practices and public representations, the SEC argues (see: SEC Alleges SolarWinds, CISO Tim Brown Defrauded Investors).
Specifically, the SEC said SolarWinds' security statement emphasizes role-based access and network security controls, but Krajcir's emails reveal unmanaged devices with Active Directory credentials could access the network without sufficient restrictions. SolarWinds also said it engages in robust network monitoring, while Krajcir said the company was unable to track unmanaged devices on corporate Wi-Fi.
The SEC said its case is strengthened by evidence suggesting SolarWinds publicly overrepresented its cybersecurity capabilities while internally grappling with critical security controls that were either absent or inadequately enforced. The SEC said SolarWinds' security statement built trust with customers and investors by suggesting a well-protected environment, but internal documents reveal a different reality.