The weasel-wording still left most readers with a clear impression that flaws in JetBrains software were directly implicated in the hack, and many US companies proceeded on that basis.
But it wasn't -- the attackers had reconfigured the build servers to add malicious code to product builds, but their malware was targeting MSBUILD.EXE processes on startup, and would have worked just the same if SolarWinds wasn't using JetBrains at all, and those processes were started instead by Jenkins, CircleCI, or a human typing at a command line. Here's a technical writeup:
But it wasn't -- the attackers had reconfigured the build servers to add malicious code to product builds, but their malware was targeting MSBUILD.EXE processes on startup, and would have worked just the same if SolarWinds wasn't using JetBrains at all, and those processes were started instead by Jenkins, CircleCI, or a human typing at a command line. Here's a technical writeup:
https://www.crowdstrike.com/blog/sunspot-malware-technical-a...
As to the lawsuit: JetBrains is not based in the US; a lawsuit would probably take years to reach resolution, and be a massive, expensive distraction.