According to six people familiar with the matter, the US Securities and Exchange Commission’s investigation of Russia’s hacking operations revealed that dozens of corporate executives feared that the information discovered in the expanded investigation would hold them accountable.

The requires companies to convert their records to “any other” data breach or ransomware attack dating back to October 2019, provided that they downloaded a vulnerable network management software update from SolarWinds, which provides products used by companies in the United . Letter with Reuters.

People familiar with the investigation said that these requests may reveal many unreported cyber incidents unrelated to Russian espionage, giving the a rare understanding of previously unknown incidents that these companies may never intend to disclose.

“I have never seen anything like this,” said a consultant who has worked with dozens of listed companies that have recently received requests. “The ’s concern is that they don’t know how the will use this information. then, most companies have had unreported violations.” The consultant spoke on condition of anonymity to discuss his experience .

An official stated that the purpose of the request was to discover other violations related to the SolarWinds incident.

The told the company that if they voluntarily share data about the SolarWinds , they will not be punished, but will not provide amnesty for other compromises.

The frequency and impact of cyber attacks are increasing, and they have attracted deep attention from the White House last year. US officials accused the company of failing to disclose such incidents, saying it concealed the severity of the problem from shareholders, policymakers and law enforcement agencies in order to find the most serious offenders.

See also  Bafta Games Awards: Death Stranded and Controlled Leading Nomination

A person familiar with the US Securities and Exchange Commission’s investigation told Reuters that the letter was sent to hundreds of companies, including many in the technology, finance, and energy industries, which are believed to be likely to be affected by the SolarWinds attack. This number exceeds the 100 that the of Homeland Security said that bad SolarWinds software was downloaded and then used.

last year, only about 22 companies have been publicly identified as being affected, including , Cisco Systems, FireEye and Intel. Of the people contacted for this story, only Cisco that it had received a letter from the US Securities and Exchange Commission. A Cisco spokesperson said that it has responded to the SEC’s request.

Cyber ​​security research also that software manufacturer Qualys and petroleum energy company Chevron Corp are targets of Russian cyber operations. Both declined to comment on the US Securities and Exchange Commission’s investigation.

Approximately 18,000 customers of SolarWinds downloaded a hacker version of its software, which cybercriminals manipulated for future access. However, only a small percentage of customers have seen subsequent hacking activities, which shows that the attackers have infected far more companies than the companies they ultimately suffer.

According to six sources who have read the letters, after the first round of investigations in June, the sent letters to companies believed to be affected last month.

The second wave of requests is for recipients of companies that did not respond in the first round. The exact number of recipients is not yet known.

See also  Persistent sci-fi fear of survival, jump from PSVR to May switch

Jina Choi, a partner at Morrison & Foerster and a former director who handled cybersecurity cases, said that the current investigation is “unprecedented” because the SEC’s objectives lack clarity in such a large-scale investigation.

Although the U.S. Securities and Exchange Commission issued guidelines ten years ago that required companies to disclose potentially important hacking activities, and then updated the guidelines in 2018, most admitted that they were vague.

Gary Gensler, who took the helm at the in April, has instructed the agency to issue new disclosure requirements ranging from cybersecurity to climate risk.

Although Reuters first reported the hacking attack more than nine months ago, the actual impact of its large-scale digital espionage operations from Russian agencies is still largely unknown by US officials.

Government officials avoided sharing full descriptions of stolen items or content pursued by the Russians, but described them as traditional government espionage.

Many companies have mentioned hacking attacks in SEC documents, but many companies only use these incidents as an example of the kind of intrusion they might encounter one day. Most people who said they installed the SolarWinds software added that they don’t believe their most sensitive data has been stolen.

John Reed Stark, the former head of the SEC’s Internet Enforcement Office, said, “It will be difficult for companies to answer these questions-not only because these requirements are broad, comprehensive, and all-encompassing, but also because the SEC will find Some kind of error” is in their previous disclosures.

© Thomson Reuters 2021