Former developer of Ubiquiti confessed to stealing data, trying to extort the networking company
What just happened? Nickolas Sharp, a former Ubiquiti employee who oversaw the company’s cloud team confessed of stealing gigabytes of private data from the company’s network under the guise of an anonymous hacker and a whistleblower. Sharp, a 36-year-old software engineer from Portland, Oregon, is charged with stealing gigabytes of sensitive data from Ubiquiti’s GitHub repositories and AWS servers in December 2020.
Sharp pled guilty to three charges: making false statements to the FBI, wire fraud, and deliberately transmitting a malicious program to a protected computer. The maximum punishment for each of these offenses is 35 years in prison.
Ubiquiti reported a security incident in January 2021 following the data theft incident. Sharp, while pretending to be an anonymous hacker, sought to extort the company. The ransom note demanded 50 bitcoin, which, at the time, was equivalent to roughly $1.9 million, in exchange for recovering the data and disclosing the network weakness that had allowed the hack. However, instead of paying the ransom, Ubiquiti chose to update the login information for every employee. Additionally, the business found and eliminated a second backdoor in its systems, before reporting a security breach on December 11.
“Nickolas Sharp’s company entrusted him with confidential information that he exploited and held for ransom,” said U.S. Attorney Damian Williams.
“Adding insult to injury, when Sharp wasn’t given his ransom demands, he retaliated by causing false news stories to be published about the company, which resulted in his company’s market capitalization plummeting by over $4 billion.”
Sharp used his cloud administrator credentials to clone hundreds of repositories over SSH and steal private files from Ubiquiti’s AWS infrastructure (on December 10, 2020) and GitHub repositories (on December 21 and 22).
He attempted to conceal his home IP address while collecting the data using the Surfshark VPN service, but his location was discovered following a brief Internet outage. Furthermore, he also altered the log retention rules on Ubiquiti’s servers and other data that would have revealed his identity during the inquiry.
The FBI searched the residence of Nicholas Sharp on March 24, 2021, and seized his electronic equipment. When interrogated, he gave FBI officials several false statements, including, that he was not the perpetrator and had never used that VPN before. Records demonstrating that Sharp purchased the Surfshark VPN service in July 2020, about six months before the incident, caused him to make the fraudulent allegation someone else must have accessed his PayPal account to complete the transaction.
Sharp, pretending to be a whistleblower, accused Ubiquiti of downplaying the breach in a media interview after the extortion attempt failed. After he challenged Ubiquiti’s assertion and claimed that the incident’s impact was significant, the company acknowledged on April 1 that it was the target of an extortion attempt following the January hack with no indication that user accounts were affected.
He further asserted that Ubiquiti lacked a logging mechanism that would have prohibited them from determining whether the “attacker” had accessed any systems or data. His assertions, however, are consistent with information from the Justice Department that he tampered with the company’s logging systems.