Nickolas Sharp, a former Ubiquiti employee who managed the networking device maker’s cloud team, pled guilty today to stealing gigabytes worth of files from Ubiquiti’s network and trying to extort his employer while posing as an anonymous hacker and a whistleblower.
“Nickolas Sharp’s company entrusted him with confidential information that he exploited and held for ransom,” U.S. Attorney Damian Williams said on Thursday.
“Adding insult to injury, when Sharp wasn’t given his ransom demands, he retaliated by causing false news stories to be published about the company, which resulted in his company’s market capitalization plummeting by over $4 billion.”
Sharp was arrested and charged with data theft and extortion attempts on December 1, 2021.
Billions of dollars in losses after stock drop
Ubiquiti disclosed a security incident in January 2021 following Sharp’s data theft. While working to assess the scope of the incident and remediate the security breach’s effects as the company’s cloud lead, the defendant also tried extorting Ubiquiti while posing as an anonymous hacker.
The ransom note asked for 50 bitcoins (around $1.9 million at the time) in exchange for revealing the vulnerability used to breach the network and for returning the stolen files.
Ubiquiti refused to pay and, instead, changed all employee credentials, discovered and disabled a second backdoor from its systems, and issued a security breach notification on January 11.
After the extortion attempt failed, Sharp shared information regarding the incident with the media while pretending to be a whistleblower, accusing Ubiquiti of downplaying the breach.
As a result, Ubiquiti’s stock price dropped by almost 20%, which led to financial losses of over $4 billion in market capitalization.
On April 1, the company confirmed it was being targeted by an extortion attempt following the January breach with no indication that customer accounts were affected after Sharp (as a whistleblower) disputed Ubiquiti’s statement and said that the incident’s impact was massive.
Sharp also claimed that Ubiquiti did not have a logging system that would’ve prevented them from verifying systems or data were accessed by the “attacker.” However, his claims line up with the Justice Department info on him tampering with the company’s logging systems.
Even though the DOJ hasn’t yet named Sharp’s employer in the indictment or the press releases regarding this case, the details perfectly align with Sharp’s LinkedIn account and previous info on the Ubiquiti breach.
Exposed by an Internet outage
Sharp stole confidential files from Ubiquiti’s AWS infrastructure (on December 10, 2020) and GitHub repositories (on December 21 and 22, 2020) using his cloud administrator credentials and cloning hundreds of repos over SSH, according to the indictment [PDF].
While stealing the data, he tried hiding his home IP address using the Surfshark VPN service, but his location was exposed after a temporary Internet outage.
In further efforts to hide his malicious activity, Sharp also modified log retention policies on Ubiquiti’s servers and other files that would have exposed his identity during the incident investigation.
“Among other things, SHARP applied one-day lifecycle retention policies to certain logs on AWS which would have the effect of deleting certain evidence of the intruder’s activity within one day,” the court documents read.
Sharp’s charges carry a maximum sentence of 37 years in prison if found guilty. He is scheduled to be sentenced on May 10 by U.S. District Judge Katherine Polk Failla.