Getty Images/iStockphoto

Former Ubiquiti engineer arrested for inside threat attack

Nickolas Sharp is accused of attacking his former employer, stealing confidential data and attempting to extort the company into paying him approximately $2 million.

Authorities have charged an alleged insider threat actor with stealing data and secretly extorting his own employer for nearly $2 million.

The Department of Justice (DOJ) announced Wednesday the arrest of Nickolas Sharp, 28, of Portland, Ore., for misusing administrative access to steal confidential data and then attempting to extort the New York-based technology company while working to remediate the security breach he created. While allegedly posing as an anonymous hacker, the DOJ said he "published a portion of the stolen files" on a publicly available platform after the company refused to pay the ransom.

Formerly employed as a senior developer, Sharp's company access included credentials for Amazon Web Services and GitHub servers, which he subsequently abused. According to the indictment, Sharp accessed his employer's GitHub resources and stole source code and product information, cloning 155 repositories. To access those two infrastructures, Sharp allegedly used Surfshark's VPN service.

The indictment claimed Sharp used his personal PayPal account to "purchase a 27-month subscription to Surfshark VPN." However, a temporary internet outage at Sharp's home while he was attempting to exfiltrate data revealed the home IP address, according to the DOJ.

The DOJ did not identify Sharp's employer and only referred to "Company-1" as an entity "headquartered in New York" that "manufactured and sold wireless communications products." However, information about the attack matches the details of a data breach at Ubiquiti, a wireless and IoT device vendor based in New York. Additionally, a LinkedIn account (which has now been deleted) for a Nickolas Sharp of Oregon showed he was a cloud lead at Ubiquiti Networks from Aug. 2018 to March 2021. The indictment states that Nickolas Sharp was "employed by Company-1 in or about August 2018 up to and including on or about April 1." Additionally, the FBI executed the warrant against Sharp in March.

Ubiquiti did not respond to a request for comment.

Ubiquiti attack timeline

The DOJ estimated the start of the insider threat incident to be around December 2020, when Sharp allegedly began abusing company access and posed as an anonymous hacker who breached his company's network.

Ubiquiti informed customers on Jan. 11 that it suffered a "cybersecurity incident that involved unauthorized access" to IT systems. The DOJ alleged that Sharp sent a ransom note during a January security incident in which an "attacker claimed to have obtained unauthorized access to Company-1's computer networks."

Authorities claimed Sharp sent a ransom note demanding Bitcoin, which is commonly used by cybercriminals for ransom payments, while working on a team remediating effects of the incident he caused. However, it wasn't until March 24, 2021, that FBI agents executed a search warrant at his Portland residence and seized electronic devices, including the Surfshark VPN, according to the release.

"When confronted with records demonstrating that Sharp purchased the Surfshark VPN service in July 2020, approximately six months prior to the incident, Sharp falsely stated, in part and substance, that someone else must have used his PayPal account," the release said.

Following the FBI's search of his home in late March, according to the DOJ, Sharp allegedly posed as a whistleblower and "caused false news stories to be published" about the breach. At least one of those stories appears to be an article from infosec journalist Brian Krebs on March 30th, which reported that an anonymous individual claiming to be a security professional at Ubiquiti contacted both the company's whistleblower hotline and European data protection regulators.

According to Krebs' report, the Ubiquiti employee claimed the company downplayed the severity of the breach in email notifications sent to customers in January. But the DOJ said Sharp falsely claimed an external attacker had gained root administrator access to all of the victim's AWS resources; the negative press, according to the DOJ, caused the company's stock price to drop 20%, resulting in a $4 billion decrease in market capitalization.

Ubiquiti responded to Krebs' coverage in a statement on its community forum that said "nothing has changed" with respect to the company's original analysis of the breach, and that no customer data was compromised or even targeted. "At this point, we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure," the statement said. "As we are cooperating with law enforcement in an ongoing investigation, we cannot comment further."

Sharp is being charged on four counts, including transmitting a program to a protected computer that intentionally caused damage, wire fraud and making false statements to the FBI.

SearchSecurity News director Rob Wright contributed to this article.

Dig Deeper on Data security and privacy