SEC drops ill-fated cyberattack lawsuit against SolarWinds, CISO

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

The US Securities and Exchange Commission said it has dropped its closely watched litigation against SolarWinds Corp and its CISO, Tim Brown, that was tied to a Russia-linked cyberattack involving the software firm.

The landmark case, which the SEC brought in late 2023 as the Biden administration sought to portray a strong response to a rash of shocking cyberattacks, rattled the cybersecurity community and later faced negative scrutiny from a judge who dismissed many of the charges in July 2024.

Earlier this year, the SEC and SolarWinds reached a settlement to dismiss all remaining charges.

The case shocked the cybersecurity community for its lack of evidence of wrongdoing and what many saw as inappropriate targeting of Brown, who, as CISO, lacked top-level corporate decision-making ability and fiduciary responsibility despite having the word "chief" in his title. Most of the charges against Brown stemmed from what many considered a tortured parsing of statements he made that, to cybersecurity experts, lacked any evidence of wrongdoing.

Given the weight of the legal action against him, Brown suffered a heart attack after he learned of the SEC complaint.

A SolarWinds spokesperson said in a statement that the firm is "clearly delighted" with the dismissal."We hope this resolution eases the concerns many CISOs have voiced about this case and the potential chilling effect it threatened to impose on their work," the spokesperson said. (Chris Prentice / Reuters, Tanium and previous Metacurity research)

Related: SolarWinds, SEC, Nextgov/FCW, The Register, CyberScoop, Bloomberg Law, Claims Journal, The Register, Wall Street Journal

The US Federal Communications Commission (FCC) voted to roll back Biden-era cybersecurity regulations designed to address the massive network intrusion known as Salt Typhoon that affected major telecommunications carriers last year.

FCC Chairman Brendan Carr led the vote along party lines to repeal what he framed as an ineffective measure rushed out the door in the last days of Joe Biden’s presidency.

After Chinese hackers were revealed to have been embedded in the US communications infrastructure for months last year, the FCC adopted a set of rules that would require carriers like AT&T Inc. and Verizon Communications Inc. to secure their networks from intruders and to submit an annual certification asserting that they had implemented a robust cybersecurity plan. (Kelcee Griffis / Bloomberg)

Related: FCC, The Record, The Verge, Senate Homeland Security Committee, Cybersecurity Dive, Reuters, Axios, Nextgov/FCW, CyberScoop, Federal News Network, Meritalk, Industrial Cyber

According to the UK National Crime Agency (NCA), a billion-dollar money laundering network active in the UK bought a bank in the Central Asian state of Kyrgyzstan to facilitate the washing of profits from cybercrime and other criminal activity, and convert it into cryptocurrency that was used to evade sanctions on Russia in support of the Putin regime’s war on Ukraine.

So-called cash-to-crypto swaps are a core part of the global criminal ecosystem. In 2024, the NCA and its European and North American partners came down hard on two full-service Russian-run money laundering networks, TGR and Smart, which washed money on behalf of multiple ransomware crews, including the likes of Evil Corp, Conti, and Ryuk, in an ongoing series of actions dubbed Operation Destabilise.

In the past 12 months, Operation Destabilise has seen 45 suspected money launderers arrested and £5.1m (around $6.7 million) in cash seized. Since its inception, 128 arrests and over £25m (around $32.7 million) have been seized in cash and crypto assets in the UK, plus millions more abroad.

As part of this operation, the NCA has launched a campaign to communicate directly with the money launderers who courier criminal cash, reaching them in locations where they are known to operate. The posters and messages (in English and Russian) highlight the risks they are taking by moving money linked to the most harmful crimes in our communities. (Alex Scroxton / Computer Weekly and NCA)

Related: BBC News, Reuters, ITV, France24, The Record, The Independent, RTE

The UK's National Crime Agency says that Russian intelligence services helped fund the former Wirecard executive Jan Marsalek’s spy ring by using a cash-to-cryptocurrency money laundering network.

Nearly a year after the NCA shut down two Russian laundromats that transferred billions of dollars around the world, the agency revealed that one of the networks had attempted to fund a group of six Bulgarian nationals who had been convicted on espionage charges. The group spied on journalists and politicians and plotted assassinations before the network was dismantled.

The NCA said the “Smart” network operated by Russian businesswoman Ekaterina Zhdanova was used by individuals working with Russian intelligence services in an attempt to fund the spy ring. Zhdanova has spent over a year in pre-trial detention in France, accused of crimes in a separate case, the NCA said. Anastasia Pitchouguina, a lawyer for Zhdanova, declined to comment.

Marsalek, who worked for Russian intelligence services, bankrolled the Bulgarians’ activities, spending as much as £45,000 ($58,768) on some of the operations, British prosecutors alleged. The Austrian-born fugitive wasn’t charged in the case and disappeared in 2020 during the dramatic collapse of the German payments company.

The six Bulgarian individuals were sentenced to as long as 10 years in prison by a London judge. (Jonathan Browning / Bloomberg)

Related: Financial Times

Salesforce said that it’s investigating yet another cyber incident involving a third party, this time a breach of “certain customers’ Salesforce data” that was compromised through apps published by Gainsight, a company that sells a platform for other companies to manage their customers.

Salesforce said the hacks involve “Gainsight-published applications connected to Salesforce, which are installed and managed directly by customers.”

Salesforce said that there is “no indication that this issue resulted from any vulnerability in the Salesforce platform,” and that the activity appears related to Gainsight’s “external connection to Salesforce.”

Gainsight said in a status page that it is investigating a “Salesforce connection issue,” without making any reference to a potential breach. “Our internal investigation is ongoing,” Gainsight wrote.

Threat group ShinyHunters took credit for the breach, adding that if Salesforce doesn’t negotiate with them, they will create a new website to advertise the stolen data — a common extortion tactic by financially-motivated cybercriminals.

Less than two months ago,  an expansive downstream attack spree impacted more than 700 customers who integrated Salesloft Drift into Salesforce. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: Salesforce, CyberScoop, Bleeping Computer, The Register, Reuters, The Record, The Cyber Express, BankInfoSecurity, Infosecurity Magazine, DataBreachToday, The Stack

The NSO Group filed an appeal aimed at overturning a judge’s ruling that it must stop targeting the WhatsApp platform with its spyware.

On October 17, Northern California federal judge Phyllis Hamilton issued the order, determining that NSO improperly leveraged WhatsApp infrastructure to target 1,400 of the Meta-owned messaging platform’s users with its zero-click Pegasus spyware.

In a court filing ahead of the ruling, NSO told the judge that blocking it from targeting WhatsApp infrastructure to implant its spyware could “put NSO’s entire enterprise at risk” and “force NSO out of business.”

In a motion to stay the order pending the outcome of the appeal, the NSO Group again focused on the “catastrophic” damage the permanent injunction will do to its business, saying that if the ruling isn’t stayed, NSO will “suffer irreparable, potentially existential injuries.”

NSO said that the permanent injunction goes against the public interest because it disrupts numerous law enforcement, intelligence, and counterterrorism operations. (Suzanne Smalley / The Record)

Related: CyberScoop

The Privacy and Civil Liberties Oversight Board (PCLOB), an independent executive branch watchdog agency, issued a report finding that the FBI does not purchase continuous or “real-time” location data from any phone, internet, or electronic service providers for use in counterterrorism investigations.

provides an overview of what open-source information the FBI consults in such investigations.

It is unclear why the PCLOB undertook the probe, but it was launched at a time when awareness of how technological advances allow for a granular level of data tracking was taking hold.

Notably, it does not say the FBI does not buy location data at all. The FBI does use the location data broker Babel Street, which sells information on individuals’ whereabouts, historically, the report says. (Suzanne Smalley / The Record)

Related: PCLOB

Korean e-commerce giant Coupang said that an unauthorized third party had gained access to personal data of some 4,500 of its customers, including names, email addresses, delivery addresses, telephone numbers, and most recent orders.

The company, however, said that it has not found evidence suggesting unauthorized intrusion into its system related to customer payments.

Coupang said it has stepped up monitoring efforts related to the data leak and advised customers to be on the lookout for texts and phone calls claiming to be from Coupang officials. (Yoon Min-sik / The Korea Herald)

Related: Pulse, The Chosun Daily, Korea JoongAng Daily

Researchers at Google Threat Intelligence Group report that China-linked APT24 hackers have been using a previously undocumented malware called BadAudio in a three-year espionage campaign that recently switched to more sophisticated attack methods.

From November 2022 until at least September 2025, APT24 compromised more than 20 legitimate public websites from various domains to inject malicious JavaScript code that selected visitors of interest - the focus was exclusively on Windows systems.

The researchers say that the script fingerprinted visitors who qualified as targets and loaded a fake software update pop-up to lure them into downloading BadAudio.

From the eight samples GTIG researchers provided in their report, only two are flagged as malicious by more than 25 antivirus engines on the VirusTotal scanning platform. The rest of the samples, with a creation date of December 7, 2022, are detected by up to five security solutions. (Bill Toulas / Bleeping Computer)

Related: Google Cloud, Dataconomy

Amazon’s threat intelligence experts have documented two cases showing how Iran leveraged hacking in preparation for physical strikes, in what the company calls ‘cyber-enabled kinetic targeting.'

The internet giant has shared information on two case studies observed in recent years that involved threat actors linked to Iran.

The first case study involved a threat group known as Imperial Kitten and Tortoiseshell. The threat actor, believed to be operating on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC) since at least 2017, is known for its long-term operations, as well as for targeting military and defense entities.

Using data from customers, partners, and its own threat intelligence systems, Amazon was able to piece together a timeline for an operation that spanned more than two years, progressing from digital spying to a physical attack.

According to Amazon, Imperial Kitten compromised a ship’s Automatic Identification System (AIS) platform in December 2021, gaining access to critical shipping infrastructure.

In August 2022, Imperial Kitten was seen hacking additional maritime vessel platforms, and in one case, it collected real-time visual intelligence by accessing CCTV cameras on a ship.

In January 2024, the threat actor searched AIS location data for a particular ship. A few days later, on February 1, 2024, that vessel was targeted in a missile strike by Iran’s allied Houthis.

The second case study presented by Amazon is more recent and involves MuddyWater, a threat group linked by US Cyber Command to the Iranian Ministry of Intelligence and Security (MOIS).

The hackers were observed provisioning a server for what Amazon described as “cyber network operations” in mid-May 2025. Less than one month later, on June 17, the threat actor leveraged the same server infrastructure to access a compromised server used for live CCTV streams from Jerusalem. 

Researchers believe this was used to collect real-time visual intelligence of potential targets in the city in preparation for a June 23 missile attack launched by Iran.

Amazon coined the term ‘cyber-enabled kinetic targeting’ because it believes current terminology is not specific enough for these types of attacks. The company noted that ‘cyber-kinetic operations’ are cyberattacks that cause physical damage, while ‘hybrid warfare’ is too broad. (Eduard Kovacs / Security Week)

Related: AWS, CyberScoop, eSecurity Planet, CSO Online, SC Media, Security Affairs

Columbia University law and MBA student Michelle Ritter filed a lawsuit in Los Angeles against former Google chief executive Eric Schmidt, with whom she had a romantic and business relationship, accusing Schmidt of stealing business out from under her, sexually assaulting her twice during their relationship, and tapping his Google background to hack into her email and online computer files.

“During their relationship, Schmidt confided that when he worked at Google, he built an insider 'backdoor' to Google servers with a team of Google engineers to spy on Google employees. Accordingly, the backdoor enabled him to access anyone’s Google account and private information,” the lawsuit says.

Google is also named as a defendant in the lawsuit and is alleged to have “knowingly acquiesced in, failed to remedy, and materially assisted the unauthorized access” into Ritter’s accounts despite being provided notice. Schmidt and the company are accused of violating the California Comprehensive Computer Data Access and Fraud Act, and a section of the state penal code that prohibits wiretapping. (Laurence Darmiento / Los Angeles Times)

Method Security, a dual-use company combining cyber expertise with artificial intelligence speed, announced it had raised $26 million across its seed and Series A venture funding rounds.

Andreessen Horowitz and General Catalyst led the rounds with participation from Blackstone Innovations Investments, Crossbeam Ventures (Michael Ovitz), NFDG, Forward Deployed Ventures, Pax Ventures, Phil Venables (Strategic Security Advisor, Google), WndrCo, Frederic Kerrest (co-founder of Okta, 515 Ventures), Ryan Noon (Chairman, Material Security), and Aaron Levie (CEO, Box).

Related: Method Security, Pulse 2.0, PR Newswire, Tech in Asia

Best Thing of the Day: Better Late Than Never

Following last month’s cybersecurity breach, the University of Pennsylvania implemented a new mandatory information security training for all faculty and staff.

Worst Thing of the Day: Following in the Footsteps of China

Police departments and officials from Border Patrol used Flock’s automatic license plate reader (ALPR) cameras to monitor protests hundreds of times around the country during the last year, including No Kings protests in June and October.

Bonus Worst Thing of the Day: Who Knew Epstein Liked Cyberweapons?

New documents released by the House Oversight Committee revealed that Jeffrey Epstein pursued the Swiss Rothschild Bank to finance Israeli cyberweapons.

Extra Bonus Worst Thing of the Day: 3.5 Billion WhatsApp Users Have Questions

Researchers from the University of Vienna quietly compiled a digital directory so vast that it contains the personal details of nearly half the global population, with the team claiming to have scraped the data of 3.5 billion WhatsApp users.

Closing Thought