What just happened? Nicholas Sharp, a former Ubiquiti employee who oversaw the company’s cloud team, confessed to stealing gigabytes of personal data from the company’s network under the guise of an anonymous hacker and whistleblower. Sharp, a 36-year-old software engineer from Portland, Oregon, is accused of stealing gigabytes of confidential data from Ubiquiti GitHub repositories and AWS servers in December 2020.
Sharp pleaded guilty to three charges: providing false testimony to the FBI, fraud using electronic means and intentionally transmitting malware to a protected computer. The maximum penalty for each of these crimes is 35 years in prison.
Ubiquiti reported a security incident in January 2021 following a data theft incident. Sharpe, pretending to be an anonymous hacker, tried to blackmail the company. The ransom note demanded 50 bitcoins, which at the time was equivalent to about $1.9 million, in exchange for data recovery and disclosure of the network vulnerability that allowed the hack. However, instead of paying the ransom, Ubiquiti decided to update the login details for each employee. In addition, the company discovered and eliminated a second backdoor in its systems before reporting a security breach on December 11.
“Nicholas Sharp’s company entrusted him with confidential information that he used and held for ransom,” said U.S. Attorney Damian Williams.
“Adding insult to injury, when Sharp did not receive a ransom demand, he responded by triggering the publication of false news about the company, causing his company’s market capitalization to drop by more than $4 billion.”
Sharp used his cloud administrator credentials to clone hundreds of repositories via SSH and steal personal files from the Ubiquiti AWS infrastructure (December 10, 2020) and GitHub repositories (December 21 and 22).
He tried to hide his home IP address when collecting data using the Surfshark VPN service, but his location was discovered after a brief Internet outage. In addition, he also changed the rules for storing logs on Ubiquiti servers and other data that would allow his identity to be revealed during the investigation.
On March 24, 2021, the FBI raided the home of Nicholas Sharp and seized his electronic equipment. During the interrogation, he gave several false statements to FBI officials, including that he was not a criminal and had never used this VPN before. Records showing that Sharp purchased the Surfshark VPN service in July 2020, about six months before the incident, led him to make a fraudulent claim that someone else had to access his PayPal account to complete the transaction.
Sharp, pretending to be a whistleblower, accused Ubiquiti of downplaying the violation in a media interview after the extortion attempt failed. After he disputed Ubiquiti’s claim and stated that the impact of the incident was significant, the company admitted on April 1 that it had been the target of an extortion attempt after the January hack without any indication that user accounts had been affected.
He also claimed that Ubiquiti did not have a logging mechanism that would not allow them to determine whether an “attacker” had access to any systems or data. However, his claims are consistent with information from the Ministry of Justice that he interfered with the company’s registration systems.
