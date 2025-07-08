The United States’ Securities and Exchange Commission (SEC) has reached a settlement in principle with SolarWinds in an ongoing case against the organisation and its chief information security officer, Tim Brown, over failings that led to the compromise of its IT performance management platform Orion by the Russian state hacking group known as Cozy Bear.

The so-called Sunburst/Solorigate supply chain incident that came to light in December 2020 saw malicious code introduced into the SolarWinds’ platform by the Russians, which was then unknowingly pushed to downstream targets as a legitimate update.

Almost 20,000 SolarWinds customers downloaded and installed the malicious updates, among them the likely true targets of the cyber attack, American government bodies, such as the Department of Energy (DoE) and the National Nuclear Safety Administration (NNSA) that maintains the US nuclear weapons stock.

In a letter to presiding judge Paul Engelmayer of the US District Court for the Southern District of New York, SEC and SolarWinds representatives said they had reached a settlement in principle “that would completely resolve this litigation”, subject to review and approval by the SEC’s commissioners. They requested all pending dates in the case be stayed ahead of a planned filing date for the final settlement, set for 12 September.

Engelmayer congratulated both parties on a “productive development” and has subsequently stayed all deadlines in the case, as well as adjourning oral arguments set for later this month.

A SolarWinds spokesperson said: “The settlement is subject to approval by the Commission and we cannot therefore discuss the terms at this time. We are pleased with the potential resolution and happy to focus on driving our business forward without distraction.”