NEW YORK, July 18 (Reuters) - A U.S. judge dismissed

most of a Securities and Exchange Commission lawsuit accusing

software company SolarWinds ( SWI ) of defrauding investors by

concealing its security weaknesses before and after a

Russia-linked cyberattack targeting the U.S. government.

U.S. District Judge Paul Engelmayer in Manhattan dismissed

all claims against SolarWinds ( SWI ) and chief information security

officer Timothy Brown over statements made after the attack,

saying the claims were based on "hindsight and speculation."

In a 107-page decision on Thursday, the judge also dismissed

most SEC claims concerning statements predating the attack,

apart from securities fraud claims based on a statement on

SolarWinds' ( SWI ) website touting the company's security controls.

SolarWinds ( SWI ) and Brown's lawyers had no immediate comment. The

SEC did not immediately respond to requests for comment.

The nearly two-year cyberattack known as Sunburst targeted

Austin, Texas-based SolarWinds ( SWI ) by using its flagship Orion

software platform to infiltrate U.S. government networks.

Several federal agencies including the Departments of

Commerce, Energy, Homeland Security, State and Treasury were

compromised before the attack was revealed in December 2020.

Its full consequences remain unknown, and the U.S.

government has said Russia likely orchestrated the attack.

Russia has denied responsibility.

The SEC case filed last October appeared to be the first

targeting a company that fell victim to a cyberattack, where the

regulator did not announce a simultaneous settlement.

It is also rare for the SEC to sue public company executives

who, like Brown, are not closely involved in preparing financial

statements.

The SEC alleged that SolarWinds ( SWI ) hid the porous cybersecurity

of its products before the attack, and downplayed the attack's

severity after it occurred.

It also said SolarWinds ( SWI ) concealed how customers had warned

about malicious activity involving Orion.

But the judge said anti-fraud laws do not require that risk

warnings contain "maximum specificity," a process that could

backfire if the warnings armed cyberattackers with extra

information to exploit.

Engelmayer also said SolarWinds ( SWI ) acknowledged it could not be

expected to prevent every cyberattack, and had no duty to

disclose individual incidents.

"It has already disclosed the likelihood of these as,

regrettably, a fact of life," the judge wrote.

The case is SEC v. SolarWinds Corp ( SWI ) et al, U.S. District

Court, Southern District of New York, No. 23-09518.