When a “whistleblower” first contacted the media in March this year claiming to have inside information about the damaging hack on technology giant Ubiquiti, his story seemed legit.
The whistleblower – who had been appointed an incident responder for the breach – alleged Ubiquiti had downplayed the “catastrophic” incident and the “massive risk” it had placed on customer data.
The media coverage of his claims resulted in a more than 20% in the company’s share price, a loss of about US$4 billion in market capitalisation.
What no-one knew at the time was just days before the FBI had raided the house of the Ubiquiti software engineer under suspicion, he had had quite a bit more to do with the breach than he was letting on.
That engineer, Nickolas Sharp, was this week arrested and charged with hacking his employer, stealing troves of sensitive corporate data, and then attempting to ransom the company for US$2 million.
According to an indictment unsealed yesterday by the US Department of Justice, why Sharp chose to hack his employer in December 2020 is still uncertain.
What is clear, allegedly, is that Sharp misused his cloud administrator credentials to access Ubiquiti’s AWS and Github accounts and steal “gigabytes” of data, altering log and other files along the way to cover his tracks.
Ubiquiti discovered the breach fairly quickly, leading to its public notification to customers the following month.
Unaware of Sharp’s nefarious actions, the company appointed him one of the incident responders tasked with investigating the breach, giving Sharp the opportunity to gain inside access to information that led to him making an anonymous ransom request for 50 Bitcoin (around US$2 million at the time).
The demand was accompanied by a promise to reveal how the hacker had gained access to the network, and to keep the data from being publicly released.
It was at this point that Sharp’s very brief run of luck started to peter out.
Ubiquiti refused to cough up and called in the cops instead, according to the indictment. Investigators fairly quickly managed to unmask Sharp because the VPN he’d used to hide his activities had been purchased using his PayPal account. This VPN had also dropped out at some point during his hacking activities, exposing his real IP address.
Law enforcement raided Sharp’s home soon after in March, but he denied any involvement, claiming someone else had used his PayPal account.
Despite the intensifying heat, extraordinarily Sharp decided to contact the media as a professed “whistleblower” determined to expose Ubiquiti’s “cover-up” of the breach.
But the clock was ticking, fast: by this point Ubiquiti had a pretty strong idea that Sharp was behind the attack, even suggesting in a public statement that the perpetrator was someone with “intricate” knowledge of its cloud set-up. Sharp was fired shortly after.
Now he faces up to 37 years in prison on four separate charges, including hacking and extortion.
“We allege Mr. Sharp created a twisted plot to extort the company he worked for by using its technology and data against it. Not only did he allegedly break several federal laws, he orchestrated releasing information to media when his ransom demands weren’t met. When confronted, he then lied to FBI agents,” FBI assistant director Michael J Driscoll said in a statement.
“Mr. Sharp may have believed he was smart enough to pull off his plan, but a simple technical glitch ended his dreams of striking it rich.”