In January 2021, the technology provider Ubiquiti inc. [NYSE:UI] revealed that a breach at a third-party cloud provider exposed customer account credentials. In March, an Ubiquiti employee warned that the company had dramatically underestimated the scale of the incident and that the third-party cloud provider’s claim was a fabrication. On Wednesday, a former Ubiquiti developer was arrested on charges of stealing data and attempting to extort his employer by posing as a whistleblower.
Federal prosecutors say Nickolas sharp, a senior developer at Ubiquiti, actually caused the “breach” that forced Ubiquiti to disclose a cybersecurity incident in January. They allege that in late December 2020, Sharp applied for a job at another tech company, then abused his privileged access to Ubiquiti’s systems on Amazon’s AWS cloud service and the company’s GitHub accounts to download from large amounts of proprietary data.
Sharp’s indictment does not specify how much data it allegedly downloaded, but it does state that some of the downloads took hours and that it cloned around 155 Ubiquiti data repositories via multiple downloads on nearly two weeks.
On December 28, other Ubiquiti employees spotted the unusual downloads, which had taken advantage of the company’s internal credentials and a Surfshark VPN connection to hide the real internet address of the downloader. Assuming that an outside attacker had breached its security, Ubiquiti quickly launched an investigation.
But Sharp was a member of the forensic investigation team, according to the indictment.
“At the time, the accused was part of a team working to assess the extent and damage caused by the incident and to remedy its effects, while hiding his role in the commission of the incident,” New York Southern District prosecutors wrote.
According to the indictment, on January 7, a senior Ubiquiti official received a ransom email. The message was sent through an IP address associated with the same Surfshark VPN. The ransom message warned that Ubiquiti’s internal data had been stolen and the information would not be used or published online until Ubiquiti agreed to pay 25 Bitcoin.
The ransom email also offered to identify an allegedly still unblocked ‘backdoor’ used by the attacker for the sum of another 25 Bitcoins (the total amount requested was equivalent to approximately $ 1.9 million at the time). era). Ubiquiti did not pay the ransom demands.
Investigators say they were able to tie the downloads to Sharp and his work laptop because his internet connection briefly failed several times while he was downloading data from Ubiquiti. These outages were enough to prevent Sharp’s Surfshark VPN connection from functioning properly, exposing its internet address as the source of the downloads.
When FBI agents raided Sharp’s residence on March 24, he allegedly maintained his innocence and told agents that someone else must have used their Paypal account to purchase the Surfshark VPN subscription.
Several days after the FBI executed its search warrant, Sharp “published false or misleading information about the incident,” prosecutors said. Among the claims made in these reports was that Ubiquiti had neglected to keep access logs that would allow the company to understand the full extent of the intrusion. In fact, according to the indictment, Sharp had reduced the length of time that Ubiquiti’s systems kept certain logs of user activity in AWS to one day.
“Following the publication of these articles, between Tuesday March 30, 2021 and Wednesday March 31, [Ubiquiti’s] The stock price fell about 20%, losing more than $ 4 billion in market capitalization, ”the indictment reads.
Sharp faces four counts, including wire fraud, intentional damage to protected computers, transmitting interstate communications with intent to extort, and making false statements to the FBI.
News of Sharp’s arrest was first reported by BleepingComputer, who wrote that although the Justice Department did not name Sharp’s employer in its press release or indictment , all details correspond to previous reports on the Ubiquiti incident and information presented in Sharp’s LinkedIn account. A link to the indictment is here (PDF).