A bizarre tale: The worker who hacked and ransomed his employer

Share:

Share on facebook
Share on twitter
Share on linkedin

When a “whistleblower” first contacted the media in March this year claiming to have inside information about the damaging hack on technology giant Ubiquiti, his story seemed legit. 

The whistleblower – who had been appointed an incident responder for the breach – alleged Ubiquiti had downplayed the “catastrophic” incident and the “massive risk” it had placed on customer data. 

The media coverage of his claims resulted in a more than 20% in the company’s share price, a loss of about US$4 billion in market capitalisation. 

What no-one knew at the time was just days before the FBI had raided the house of the Ubiquiti software engineer under suspicion, he had had quite a bit more to do with the breach than he was letting on. 

That engineer, Nickolas Sharp, was this week arrested and charged with hacking his employer, stealing troves of sensitive corporate data, and then attempting to ransom the company for US$2 million

According to an indictment unsealed yesterday by the US Department of Justice, why Sharp chose to hack his employer in December 2020 is still uncertain. 

What is clear, allegedly, is that Sharp misused his cloud administrator credentials to access Ubiquiti’s AWS and Github accounts and steal “gigabytes” of data, altering log and other files along the way to cover his tracks. 

Ubiquiti discovered the breach fairly quickly, leading to its public notification to customers the following month. 

Ubiquiti Office Photos | Glassdoor
Despite the intensifying heat, extraordinarily Sharp decided to contact the media as a professed “whistleblower” determined to expose Ubiquiti’s “cover-up” of the breach. 

Unaware of Sharp’s nefarious actions, the company appointed him one of the incident responders tasked with investigating the breach, giving Sharp the opportunity to gain inside access to information that led to him making an anonymous ransom request for 50 Bitcoin (around US$2 million at the time).  

The demand was accompanied by a promise to reveal how the hacker had gained access to the network, and to keep the data from being publicly released. 

It was at this point that Sharp’s very brief run of luck started to peter out. 

Ubiquiti refused to cough up and called in the cops instead, according to the indictment. Investigators fairly quickly managed to unmask Sharp because the VPN he’d used to hide his activities had been purchased using his PayPal account. This VPN had also dropped out at some point during his hacking activities, exposing his real IP address. 

Law enforcement raided Sharp’s home soon after in March, but he denied any involvement, claiming someone else had used his PayPal account. 

Despite the intensifying heat, extraordinarily Sharp decided to contact the media as a professed “whistleblower” determined to expose Ubiquiti’s “cover-up” of the breach. 

But the clock was ticking, fast: by this point Ubiquiti had a pretty strong idea that Sharp was behind the attack, even suggesting in a public statement that the perpetrator was someone with “intricate” knowledge of its cloud set-up. Sharp was fired shortly after. 

Now he faces up to 37 years in prison on four separate charges, including hacking and extortion. 

“We allege Mr. Sharp created a twisted plot to extort the company he worked for by using its technology and data against it. Not only did he allegedly break several federal laws, he orchestrated releasing information to media when his ransom demands weren’t met. When confronted, he then lied to FBI agents,” FBI assistant director Michael J Driscoll said in a statement. 

“Mr. Sharp may have believed he was smart enough to pull off his plan, but a simple technical glitch ended his dreams of striking it rich.” 

Ahmed Khanji

Ahmed Khanji

Ahmed Khanji is the CEO of Gridware, a leading cybersecurity consultancy based in Sydney, Australia. An emerging thought leader in cybersecurity, Ahmed is an Adjunct Professor at Western Sydney University and regularly contributes to cybersecurity conversations in Australia. As well as his extensive background as a security advisor to large Australian enterprises, he is a regular keynote speaker and guest lecturer on offensive cybersecurity topics and blockchain.

Contact

Sydney Offices
Level 12, Suite 6
189 Kent Street
Sydney NSW 2000
1300 211 235

Melbourne Offices
Level 13, 114 William Street
Melbourne, VIC 3000
1300 211 235

Perth Offices
Level 32, 152 St Georges Terrace
Perth WA 6000
1300 211 235

Emergency Assistance

Under Attack?

Please fill out the form and we will respond ASAP. Alternatively, click the button to call us now.