The recent unveiling of a multi-count indictment before a grand jury for Nikolas Sharp provides a unique and convoluted series of criminal events. It appears Sharp has pledged to put around $ 2 million in its pocket via a data theft and extortion effort, with a twist of “whistleblower” claims launched to confuse investigators in an attempt to ‘self-exemption.
As with many criminal enterprises, they reach their crumbling point when everything skyrockets. When Sharp’s employer, Ubiquiti Networks, basically told the criminal who extorted them to pound sand, they undoubtedly felt that this great project was quickly dying.
According to Sharp’s LinkedIn page, he served as the “Cloud Leader” for Ubiquiti from August 2018 to March 2021. By all accounts, he was a trusted member of the Ubiquiti team. .
Insider threat, there is a pattern
Each Insider Threat Risk Mitigation team will let you know that the most likely time an employee is likely to violate the processes and procedures in place to protect a company’s intellectual property or trade secrets is the days before immediately leaving the company.
On December 9, 2020, Sharp began preparing for his departure with an application for a job at a California tech company. That same evening, Sharp reportedly began its foray into his employer’s infrastructure and data stores and began researching. A few minutes later, the first of the “attacks” takes place and the exfiltration of company data begins.
What the FBI and the US lawyer say about Sharp
Sharp’s drafted indictment details his alleged crimes, which FBI Deputy Director Michael J. Driscoll sums up well: “We allege that Mr. Sharp created a twisted plot to extort the company he worked for by using his technology and data against it . Not only did he allegedly violate several federal laws, but he orchestrated the release of information to the media when his ransom demands were not met. When confronted, he then lied to FBI agents.
US Attorney Damian Williams added, “Nickolas Sharp exploited his access as a trusted insider to steal gigabytes of confidential data from his employer and then, posing as an anonymous hacker, sent the company a ransom demand of nearly $ 2 million. As further alleged, after the FBI raided his home in connection with the theft, Sharp, now posing as an anonymous company whistleblower, filed damaging press reports falsely claiming that the theft was committed. by a hacker activated by a vulnerability in the company’s computer systems.
Driscoll observed, “Mr. Sharp may have thought he was smart enough to carry out his plan, but a simple technical glitch ended his dreams of getting rich.
The alleged convoluted series of actions
The court documents allege that Sharp used its authorized access to its employer’s GitHub and AWS servers to download gigabytes of confidential Ubiquiti data. Although we have no way of knowing if this was Sharp’s first foray into the world of cybercrime. His alleged actions indicate an above average awareness of the need to be anonymous when committing a cybercrime. To this end, Sharp reportedly used the Surfshark virtual private network (VPN) service to hide the IP address associated with the locale when it accessed his employer’s data.
On December 9, 2020, and again several times until December 28, 2020, Sharp allegedly cloned and stole his company’s data by abusing his administrative access. He exfiltrated the data through his Surfshark VPN account (acquired in July 2020) to an unidentified location. Unidentified, that was until the Internet did what the Internet does: It has a problem and has suffered an outage. During this outage, the IP address associated with Sharp’s home in Portland, Oregon was temporarily exposed.
On December 28, a colleague discovered that abnormal activity had occurred and a team began investigating the unauthorized data exfiltration. Sharp has joined this incident response effort.
Sharp, as a member of the “incident” team, is able to know what efforts were made to identify the intruder and attempt to distract from anything that might point it out. It is alleged that these efforts were not passive and that he would adjust logs and move data in an attempt to hide his role.
Sharp is also said to have lowered the hammer of his personal greed. He sent anonymous ransom emails to senior Ubiquiti executives, demanding bitcoins in return for gigabytes of data back and revealing the location of the vulnerability within the corporate network. Sharp would communicate anonymously via the Keybase chat with Ubiquiti.
The company refused to pay the ransom; Sharp is said to have posted some of the content online.
On January 29, Sharp erases and resets his computer.
On March 24, the FBI arrived at Sharp’s residence to execute a search warrant and question Sharp. Sharp is covering up during his interview with FBI special agents. Sharp doesn’t realize it, but it wasn’t the first rodeo for FBI special agents.
A “fair whistleblower” tries to derail the investigation
As the extortion effort failed and the FBI questioned him, Sharp reportedly attempted to further obscure his criminal conduct. He has attempted to rename himself, albeit anonymously, as a member of the remediation team who, as a righteous whistleblower, must share information. Sharp is said to have sent emails to the media and regulators with false information designed to portray the company as hip-high in a cover-up of “catastrophic” proportions. The emails described Ubiquiti as undertaking a full-fledged cover-up. The allegations were plausible, so the printing presses began to run. The headlines for March and April 2021 were ruthless.
- The edge – “Ubiquiti is accused of covering up a ‘catastrophic data breach – and he does not deny it”
- KrebsonSecurity – “Whistleblower: ‘catastrophic’ Ubiquiti violation” “
- Light reading – “Latest Ubiquiti Hack Highlights Security Path Of Problems For Operators”
- Beeping computer – “Ubiquiti’s cyberattack may be much worse than what was initially disclosed”
The effect was predictable, as detailed in the indictment, Ubiquiti’s value fell 20%, resulting in a loss of over $ 4 billion in market cap value.
Ubiquiti Response: Investigate and prosecute
To its credit, Ubiquiti held on and let the process continue. His analyzes showed what had happened on their network: SurfShark VPN and Sharp IP addresses as one and the same.
Handing the incident over to the FBI for investigation and the Department of Justice for prosecution ensures that the wheels of justice have a chance to turn. And they did. On November 18, 2021, the grand jury released an indictment, which was sealed and it was not until Sharp’s arrest on December 1 that it was unsealed. His terms of release do not include any devices or Internet access without the approval of preliminary services in the United States, and his travel is limited to Oregon and the Southern District of New York for trial without prior approval.
Nikolas Sharp is scheduled to appear in court on December 15, 2021.
Copyright © 2021 IDG Communications, Inc.