On Dec. 8, the cybersecurity firm FireEye announced that hackers had broken into its servers and stolen sensitive security-testing tools as part of a breach they’d discovered in recent weeks. FireEye determined by Friday that SolarWinds’ updates had been corrupted and contacted the company shortly after, according to people familiar with the matter.
A SolarWinds spokesman declined to discuss timing or answer further questions about the trades.
SolarWinds makes a popular set of network-management tools that companies and government agencies use to manage their increasingly complicated computer systems and watch for outages, slowdowns, bottlenecks and security breaches.
But the software’s intimate access to companies’ computer systems also made it a prized target for hackers, who, by altering a SolarWinds software update rolled out in March, gained a back door into thousands of sensitive corporate and government networks, including FireEye and the departments of Commerce, Homeland Security, State and Treasury.
It’s unknown when SolarWinds’s executives and insiders first learned of the hack. But a former enforcement official at the U.S. Securities and Exchange Commission and an accounting expert both said the trades would likely spark an investigation by federal securities watchdogs into whether they amounted to insider trading.
“Of course the SEC is going to look at that,” said Jacob S. Frenkel, a former senior counsel in the SEC’s Division of Enforcement. “Large trades in advance of a major announcement, then an announcement: That is a formula for an insider trading investigation.”
Frenkel said a probe could take up to a year as investigators seek to determine whether insiders traded on information that “would be important to a reasonable investor.” Frenkel has no financial relationship to SolarWinds or its investors, he added.
Silver Lake, a Silicon Valley investor with a history of high-profile tech deals including Airbnb, Dell and Twitter, sold $158 million in shares of SolarWinds on Dec. 7 — six days before news of the breach became public. Thoma Bravo, a San Francisco-based private equity firm, also sold $128 million of its shares in SolarWinds on Dec. 7.
Together, the two investment firms own 70 percent of SolarWinds and control six of the company’s board seats, giving the firms access to key information and making their stock trades subject to federal rules around financial disclosures.
Three executives from Thoma Bravo are directors on the SolarWinds board: Seth Boro, James Lines and Michael Hoffman. Three executives from Silver Lake — Kenneth Hao, Michael Bingle and Mike Widmann — are also on the board.
It was both investors’ largest sale of SolarWinds stock since the company went public in 2018. Last year, Silver Lake sold about $140 million and Thoma Bravo sold about $110 million in shares, according to regulatory filings.
In a joint statement, representatives from Silver Lake and Thoma Bravo said the stock sale was a “private placement” with a single institutional investor, and added that the investment firms “were not aware of this potential cyberattack at SolarWinds prior to entering into” the deal.
Chandler Smith Costello, a spokeswoman for the SEC, declined to comment.
The sequence of events could also raise questions about whether investors traded on inside information about the change in leadership, said Daniel Taylor, a professor of accounting at the Wharton School of the University of Pennsylvania. The largest stock sales happened on Dec. 7, the same day Thompson resigned, but two days before the company’s announcement of its new CEO.
“Naming a CEO is certainly a material development, and board members almost certainly would have known of that in advance,” said Taylor, whose research focuses on insider trading.
Thompson, the outgoing CEO, also sold more than $15 million in shares of SolarWinds last month, according to filings. Those transactions were part of a preplanned schedule of stock trading, the filings said.
The company has said that Sudhakar Ramakrishna, a former executive of the software companies Citrix Systems and Pulse Secure, will take over after Thompson’s resignation takes effect at the end of the year.
The 21-year-old SolarWinds collected more than $900 million in revenue last year, thanks largely to an explosion of business from industry and U.S. government agencies. The SolarWinds product that was compromised, Orion, brought in roughly $343 million in the first nine months of this year, 45 percent of the company’s total revenue for that period, the company said in a federal securities filing Monday.
“We don’t think anyone else in the market is really even close in terms of the breadth of coverage we have,” Thompson said on a call with investment analysts in October. “You name a database, you name a deployment model, we now provide not just some level of monitoring and management, but a deep level of monitoring and management. … We manage everyone’s network gear.”
But hackers, cybersecurity experts said, were able to exploit Orion’s deep access by altering a software update that the company began rolling out to clients’ computers between March and June of this year. The subsequent cyberespionage campaign lasted months.
SolarWinds said in the Monday filing that “fewer than 18,000” of its more than 300,000 customers may have been affected. But even that set could have disastrous implications because the company has said it provides software to the U.S. military, the Pentagon, the White House, the Federal Reserve and most of the big companies in the Fortune 500.
DHS’s Cybersecurity and Infrastructure Security Agency on Monday issued a rare emergency directive ordering every federal agency to immediately disconnect any computer running Orion software.
SolarWinds has not said when precisely it learned of the intrusion. In its filing Monday, the company said only that it “was made aware of an attack vector” used in the breach.
On Saturday, the National Security Council held an emergency meeting to discuss the breach, according to Reuters, which first reported the breach Sunday.
On Sunday night, SolarWinds announced the vulnerability and noted a “highly sophisticated, targeted, and manual supply chain attack by an outside nation state.” The company said it was working with the FBI, the intelligence community and law enforcement to investigate the attack.
The attack was spearheaded by the same hacking group inside Russia’s foreign intelligence service that previously infiltrated the White House’s email servers, people familiar with the matter told The Washington Post. Russia has denied involvement in the attack.
Ellen Nakashima contributed to this report.