In January 2021, technology suppliers Pankey [NYSE:UI] Disclosure of violations by third-party cloud providers that exposed customer account credentials. In March of this year, a Ubiquiti employee warned that the company had seriously underestimated the scope of the incident, and that the third-party cloud provider’s claims were fabricated. On Wednesday, a former Ubiquiti developer was arrested and charged with stealing data and trying to blackmail his employer by pretending to be a whistleblower.
The federal prosecutor said Nicholas SharpA senior Ubiquiti developer actually caused a “violation”, forcing Ubiquiti to disclose a cybersecurity incident in January. They claimed that in late December 2020, Sharp applied for a job with another technology company and then abused its privileged access to the Ubiquiti system in Amazon AWS cloud services and the company’s GitHub account, downloading a large amount of proprietary data.
Sharp’s indictment did not specify how much data he allegedly downloaded, but stated that some of the downloads took several hours, and that he cloned approximately 155 Ubiquiti data repositories through multiple downloads in the past two weeks.
On December 28, other Ubiquiti employees discovered abnormal downloads that used company internal credentials and Surf Shark VPN Connect to hide the real Internet address of the downloader. Assuming an external attacker compromised its security, Ubiquiti quickly launched an investigation.
But the indictment stated that Sharp was a member of the team conducting the forensic investigation.
The attorney for the Southern District of New York wrote: “At the time, the defendant was part of a team that assessed the scope and damage of the incident and remedied its impact, while concealing his role in the incident.”
According to the indictment, on January 7, a senior Ubiquiti employee received a blackmail email. The message is sent through the IP address associated with the same Surfshark VPN. The ransom information warns that Ubiquiti’s internal data has been stolen, and as long as Ubiquiti agrees to pay 25 bitcoins, the information will not be used or published online.
The ransom email also provided identification of the allegedly unblocked “backdoor” used by the attacker to pay for another 25 bitcoins (the total amount requested at the time was approximately $1.9 million). Ubiquiti did not pay the ransom demand.
Investigators stated that they were able to associate the download with Sharp and his work laptop because his Internet connection failed several times briefly while downloading Ubiquiti data. These interruptions were enough to prevent Sharp’s Surfshark VPN connection from functioning properly—thus exposing his Internet address as the source of the download.
When an FBI agent raided Sharp’s residence on March 24, it was reported that Sharp insisted that he was innocent and told the agent that someone else must have used his Paypal account to purchase a Surfshark VPN subscription.
Prosecutors said that a few days after the FBI executed the search warrant, Sharp “caused the publication of false or misleading news reports about the incident.” One of the claims in these news reports is that Ubiquiti neglected to keep access logs, which would allow the company to understand the full scope of the intrusion. In fact, the indictment alleges that Sharp has shortened the time that the Ubiquiti system keeps certain user activity logs in AWS to one day.
“After these articles are published, between Tuesday, March 30, and Wednesday, March 31, 2021, [Ubiquiti’s] The stock price fell by about 20% and the market value loss exceeded US$4 billion,” the indictment stated.
Sharp faces four criminal charges, including wire fraud, deliberately damaging protected computers, transmitting interstate communications for extortion purposes, and making false statements to the FBI.
The earliest news of Sharp’s arrest was Beep computer, Which wrote that although the Department of Justice did not name Sharp’s employer in its press release or indictment, all details are consistent with previous reports on the Ubiquiti incident and Sharp’s LinkedIn accountThe link to the indictment is here (PDF).
