Search
Close this search box.

A bizarre tale: The worker who hacked and ransomed his employer

Share:

When a “whistleblower” first contacted the media in March this year claiming to have inside information about the damaging hack on technology giant Ubiquiti, his story seemed legit. 

The whistleblower – who had been appointed an incident responder for the breach – alleged Ubiquiti had downplayed the “catastrophic” incident and the “massive risk” it had placed on customer data. 

The media coverage of his claims resulted in a more than 20% in the company’s share price, a loss of about US$4 billion in market capitalisation. 

What no-one knew at the time was just days before the FBI had raided the house of the Ubiquiti software engineer under suspicion, he had had quite a bit more to do with the breach than he was letting on. 

That engineer, Nickolas Sharp, was this week arrested and charged with hacking his employer, stealing troves of sensitive corporate data, and then attempting to ransom the company for US$2 million

According to an indictment unsealed yesterday by the US Department of Justice, why Sharp chose to hack his employer in December 2020 is still uncertain. 

What is clear, allegedly, is that Sharp misused his cloud administrator credentials to access Ubiquiti’s AWS and Github accounts and steal “gigabytes” of data, altering log and other files along the way to cover his tracks. 

Ubiquiti discovered the breach fairly quickly, leading to its public notification to customers the following month. 

Ubiquiti Office Photos | Glassdoor
Despite the intensifying heat, extraordinarily Sharp decided to contact the media as a professed “whistleblower” determined to expose Ubiquiti’s “cover-up” of the breach. 

Unaware of Sharp’s nefarious actions, the company appointed him one of the incident responders tasked with investigating the breach, giving Sharp the opportunity to gain inside access to information that led to him making an anonymous ransom request for 50 Bitcoin (around US$2 million at the time).  

The demand was accompanied by a promise to reveal how the hacker had gained access to the network, and to keep the data from being publicly released. 

It was at this point that Sharp’s very brief run of luck started to peter out. 

Ubiquiti refused to cough up and called in the cops instead, according to the indictment. Investigators fairly quickly managed to unmask Sharp because the VPN he’d used to hide his activities had been purchased using his PayPal account. This VPN had also dropped out at some point during his hacking activities, exposing his real IP address. 

Law enforcement raided Sharp’s home soon after in March, but he denied any involvement, claiming someone else had used his PayPal account. 

Despite the intensifying heat, extraordinarily Sharp decided to contact the media as a professed “whistleblower” determined to expose Ubiquiti’s “cover-up” of the breach. 

But the clock was ticking, fast: by this point Ubiquiti had a pretty strong idea that Sharp was behind the attack, even suggesting in a public statement that the perpetrator was someone with “intricate” knowledge of its cloud set-up. Sharp was fired shortly after. 

Now he faces up to 37 years in prison on four separate charges, including hacking and extortion. 

“We allege Mr. Sharp created a twisted plot to extort the company he worked for by using its technology and data against it. Not only did he allegedly break several federal laws, he orchestrated releasing information to media when his ransom demands weren’t met. When confronted, he then lied to FBI agents,” FBI assistant director Michael J Driscoll said in a statement. 

“Mr. Sharp may have believed he was smart enough to pull off his plan, but a simple technical glitch ended his dreams of striking it rich.” 

Picture of Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian Enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Contact

Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Company

Learn more about the team at the forefront of the Australian Cyber Security scene.

About Us →

Meet the Team →

Partnerships →

Learn more about the team at the forefront of the Australian Cyber Security scene.

Career Opportunities →

Internships →

Media appearances and contributions by Gridware and our staff.

See More →

Services

Services

Whether you need us to take care of security for you, respond to incidents, or provide consulting advice, we help you stay protected.

View all services →

Web App Pen. Test Calculator →

Network Pen. Test Calculator →

Governance & Audit

Legal and regulatory protection

Penetration Testing

Uncover system vulnerabilities

Remote Working & Phishing

Fortify your defenses

Cyber Security Strategy

Adaptation to evolving threats

Cloud & Infrastructure

Secure cloud computing solutions

Gridware 360

End-to-end security suite

Gridware Managed Services

Comprehensive & proactive security

Gridware CloudControl
360

Harness the benefits of cloud technology

Gridware Incident Response 24/7

Swift, expert-led incident resolution

Resources

Resources

A collection of our published insights, whitepapers, customer success stories and more.

Customer success stories from real Gridware customers. Find out how we have helped others stay on top of their Cyber Security.

Read More →