SolarWinds’ Nation-State Attack
“Cyberattacks don’t target systems, they target organizations and people. When they occur, it’s the teams that pay the emotional price. Shame, guilt, loss of confidence, the psychological triggers are powerful yet underestimated, even neglected. We must take care of people, because they are both the first line of defence and the first victims.”
On a December evening in 2020, Tim Brown received a call every CISO fears. It came from the general counsel. The CEO had just gotten information from Mandiant that malicious code was being actively exploited. The news would likely become public the next day. Emails were already moving around.
What followed was a media frenzy as SolarWinds navigated a response to a nation-state attack. That phone call changed his life for the next five years. As he recalled:
“The first step was to determine whether it was real. I had a call with Mandiant. They showed code that clearly was not ours. It took only minutes for me to confirm that the intrusion was real. Then came the harder question: what was the impact?
The world was living through the COVID-19 pandemic. Employees were working remotely, scattered across locations, but connected through channels that allowed rapid contact. My team began tracing the attack’s origin. The malicious code had never been part of our product source. When we de-compiled and analyzed our software, we discovered a tainted version. Four product versions were eventually identified as affected. Later, additional samples arrived, thousands of lines of code tied to multiple versions.
On a Sunday morning, our crisis team gathered at seven o'clock. We needed enough information before anything went public. How many customers were affected? What was the correlation between downloads and compromised versions? At one point, we estimated about 18,000 downloads, but actual negative impact numbers were uncertain. This uncertainty added to the stress.
SolarWinds immediately involved external partners. Legal advisors, crisis specialists, and federal agencies joined the response. External collaboration was critical. People who had lived through similar crises helped guide decisions. Communication strategy became central. Channels had to be fast, reliable, and secure. The company switched sensitive conversations to encrypted platforms, while keeping operational updates controlled. Short messages went through normal channels, but anything substantial required more secure communication.
The incident was later classified as a sophisticated supply chain attack. The malicious code was thoughtfully written and designed for stealth rather than destruction. It was designed not to be discovered and quietly infiltrate specific targets. Customers started calling. Government agencies asked questions. The company built a communication page explaining what happened. The first week we were mostly consumed with firefighting.
Many people asked one simple question over again: Was I affected? Transparency became our core principle, leading the response.
Ultimately, fewer organizations suffered harm than we first feared, but the psychological and reputational impact was enormous, and in many respects personal. Media reporting was often incorrect. Stories that claimed a password was “solarwinds123” traveled the world. Investigations later showed it was simply a misconfiguration, unrelated to the attack. The press did not rush with retractions.
I accepted that I could not fight every news story. Instead, we focused all our energy on solving the crisis and helping customers. Free consulting services were offered.
For months, nobody said anything good. The team had to build emotional resilience and move forward in what felt like a hard shell of public scrutiny. Stock prices dropped. The legal battles followed. In 2022, discussions emerged about potential charges. That pushed me over the edge. I had a heart attack receiving this news. I was in Switzerland at that time and made a poor decision to travel home. Upon my arrival, my wife rushed me to the hospital, and that probably saved my life.
In the class action lawsuit, everything was under scrutiny. Emails, messages, and communications were reviewed going back to 2017. The company did as much as it could. It supported my legal defense and covered the fees. This response came from an understanding that security leadership should not stand alone during nation-state incidents.
In 2024, most charges were dismissed. By mid-2024, only two technical issues related to access control auditing remained pending. Eventually, in 2025, regulatory authorities dropped the case against the company and me without prejudice. Millions of taxpayer dollars had been spent investigating, but authorities had to acknowledge there was no systemic security policy failure.
The greatest support came from the CISO community. They became my sounding boards, therapists, and emotional anchors. Their encouragement helped a great deal. Cybersecurity is not about competition. It is about facing common adversaries together. This case changed how the world viewed CISO liability. And I also hope people will finally get the message to be proactive with their mental health through emergencies.”
Tim, United States