(Reuters) — The U.S. Securities and Exchange Commission on Monday sued software company SolarWinds Corp. and its top information security executive, saying they defrauded investors by hiding cybersecurity weaknesses during a massive hack targeting the U.S. government.

The SEC lawsuit filed in Manhattan federal court accuses SolarWinds and Timothy Brown, its chief information security officer, with repeatedly violating U.S. securities laws by concealing vulnerabilities and cyber events in regulatory filings and other company statements.

Monday's lawsuit appears to be the first time the SEC has sued a company that has been victim of a cyberattack, rather than charging and simultaneously settling.

SolarWinds, based in Austin, Texas, slammed the regulator's “overreach” and pledged to fight the charges in court.

It said the charges were “unfounded,” put national security at risk, and “should alarm all public companies and committed cybersecurity professionals across the country.”

CEO Sudhakar Ramakrishna said in a blog post: “The SEC's charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security.”

The nearly two-year hacking known as Sunburst, the outlines of which were first reported by Reuters, was one of the most sweeping cyber intrusions ever discovered.

Hackers were able to use SolarWinds' flagship network management software, Orion, as a springboard into U.S. government networks and international targets.

Several federal agencies were compromised, including the Departments of State, Treasury, Homeland Security, Commerce and Energy. The full consequences of the breach, some hidden behind layers of classification, remain unknown.

Regulators found SolarWinds misled the public about repeated cybersecurity risks it faced between its 2018 initial public offering and its December 2020 disclosure about the attack.

Authorities said Mr. Brown internally discussed known risks and vulnerabilities but presented a starkly different portrayal to the public, even as customers, including a federal agency, alerted SolarWinds to malicious activity on its flagship software.