SolarWinds’ State Attack


A December evening, a phone call from the general counsel, and a sentence no CISO wants to hear: the CEO had just learned that malicious code was being actively exploited, and the news would break by morning. What followed was a nation-state supply chain attack that would consume Tim Brown's life for five years—through a media storm, a class-action lawsuit, and a heart attack he now traces directly back to the pressure of the case.


“The first step was to determine whether it was real. I had a call with Mandiant. They showed code that clearly was not ours. It took only minutes for me to confirm that the intrusion was real. Then came the harder question: what was the impact?


“Then came the harder question: what was the impact?”


The world was living through the COVID-19 pandemic. Employees were working remotely, scattered across locations, but connected through channels that allowed rapid contact. My team began tracing the attack’s origin. The malicious code had never been part of our product source. When we de-compiled and analyzed our software, we discovered a tainted version. Four product versions were eventually identified as affected. Later, additional samples arrived, thousands of lines of code tied to multiple versions.

On a Sunday morning, our crisis team gathered at seven o'clock. We needed enough information before anything went public. How many customers were affected? What was the correlation between downloads and compromised versions? At one point, we estimated about 18,000 downloads, but actual negative impact numbers were uncertain. This uncertainty added to the stress.


“We needed enough information before anything went public. How many customers were affected?”


SolarWinds immediately involved external partners. Legal advisors, crisis specialists, and federal agencies joined the response. External collaboration was critical. People who had lived through similar crises helped guide decisions. Communication strategy became central. Channels had to be fast, reliable, and secure. The company switched sensitive conversations to encrypted platforms, while keeping operational updates controlled. Short messages went through normal channels, but anything substantial required more secure communication.

The incident was later classified as a sophisticated supply chain attack.The malicious code was thoughtfully written and designed for stealth rather than destruction. It was designed not to be discovered and quietly infiltrate specific targets. Customers started calling. Government agencies asked questions. The company built a communication page explaining what happened. The first week we were mostly consumed with firefighting. 


The incident was later classified as a sophisticated supply chain attack.”


Many people asked one simple question over again: Was I affected? Transparency became our core principle, leading the response. 

Ultimately, fewer organizations suffered harm than we first feared, but the psychological and reputational impact was enormous, and in many respects personal. Media reporting was often incorrect. Stories that claimed a password was “solarwinds123” traveled the world. Investigations later showed it was simply a misconfiguration, unrelated to the attack. The press did not rush with retractions. I accepted that I could not fight every news story. Instead, we focused all our energy on solving the crisis and helping customers. Free consulting services were offered.


“I accepted that I could not fight every news story.“


For months, nobody said anything good. The team had to build emotional resilience and move forward in what felt like a hard shell of public scrutiny. Stock prices dropped. The legal battles followed. In 2022, discussions emerged about potential charges. That pushed me over the edge. I had a heart attack receiving this news. I was in Switzerland at that time and made a poor decision to travel home. Upon my arrival, my wife rushed me to the hospital, and that probably saved my life. 

In the class action lawsuit, everything was under scrutiny. Emails, messages, and communications were reviewed going back to 2017. The company did as much as it could. It supported my legal defense and covered the fees. This response came from an understanding that security leadership should not stand alone during nation-state incidents. 


“In the class action lawsuit, everything was under scrutiny.”


In 2024, most charges were dismissed. By mid-2024, only two technical issues related to access control auditing remained pending. Eventually, in 2025, regulatory authorities dropped the case against the company and me without prejudice. Millions of taxpayer dollars had been spent investigating, but authorities had to acknowledge there was no systemic security policy failure.

The greatest support came from the CISO community. They became my sounding boards, therapists, and emotional anchors. Their encouragement helped a great deal. Cybersecurity is not about competition. It is about facing common adversaries together. This case changed how the world viewed CISO liability. And I also hope people will finally get the message to be proactive with their mental health through emergencies.”


“Cybersecurity is not about competition. It is about facing common adversaries together.”


Tim, United States

Previous
Previous

Ports Halted by Ransomware

Next
Next

Nurse’s Stolen Identity