Ubiquiti breach an inside job, says FBI and DoJ

Investigators claim Ubiquiti employee Nikolas Sharp stole company data and then played the role of whistleblower to draw attention away from is actions.

CSO slideshow - Insider Security Breaches - Two-faced businessman removes his mask in a binary world
Stockfinland / Getty Images

The recent unsealing of a grand jury multi-count indictment for Nikolas Sharp provides a unique and convoluted series of criminal events. It seems Sharp undertook to put approximately $2 million into his pocket via a data theft and extortion effort, with a twist of “whistleblower” claims thrown in to confuse investigators in an attempt at self-exoneration.

As with many criminal enterprises, they reach their point of collapse when everything goes toes up. When Sharp’s employer Ubiquiti Networks essentially told the criminal extorting them to pound sand, they no doubt felt this grand scheme was dying a fast death.   

According to Sharp’s LinkedIn page, he had the role of “cloud lead” for Ubiquiti from August 2018 to March 2021. By all accounts, he was a trusted member of the Ubiquiti team.

Insider threat, there is a pattern

Every insider threat risk mitigation team will tell you the most probable time when an employee is likely to violate the processes and procedures put in place to protect the intellectual property or trade secrets of a company is the days immediately prior to their departure from the company.  

On December 9, 2020, Sharp began shaping his departure with an application for a position at a California technology company. That same evening Sharp allegedly began his foray into his employer’s infrastructure and data stores and began running searches. Minutes later, the first of the “attacks” takes place and exfiltration of company data begins.  

What the FBI and U.S. attorney say about Sharp

The redacted indictment of Sharp details his alleged crimes, which FBI Assistant Director Michael J. Driscoll sums up nicely: “We allege Mr. Sharp created a twisted plot to extort the company he worked for by using its technology and data against it. Not only did he allegedly break several federal laws, he orchestrated releasing information to media when his ransom demands weren't met. When confronted, he then lied to FBI agents.”

U.S. Attorney Damian Williams added, “Nickolas Sharp exploited his access as a trusted insider to steal gigabytes of confidential data from his employer, then, posing as an anonymous hacker, sent the company a nearly $2 million ransom demand.  As further alleged, after the FBI searched his home in connection with the theft, Sharp, now posing as an anonymous company whistleblower, planted damaging news stories falsely claiming the theft had been by a hacker enabled by a vulnerability in the company’s computer systems.”

Driscoll observed, “Mr. Sharp may have believed he was smart enough to pull off his plan, but a simple technical glitch ended his dreams of striking it rich.”

The alleged convoluted series of actions

The court documents allege Sharp leveraged his authorized access to his employer’s GitHub and AWS servers to download gigabytes of confidential Ubiquiti data. While we have no way of knowing whether this was Sharp’s first foray into the world of cybercrime. His alleged actions point toward an above-average awareness on the need to be anonymous when committing a cybercrime. To that end, Sharp allegedly used the Surfshark virtual private network (VPN) service to mask the IP address associated the locale for when he accessed his employer’s data.

On December 9, 2020, and again multiple times through December 28, 2020, Sharp allegedly cloned and stole his company’s data by misusing his administrative access. He exfiltrated the data via his Surfshark VPN account (acquired in July 2020) to an unidentified location. Unidentified, that was until the internet did what the internet does: It glitched and suffered an outage. During this outage, the IP address associated with Sharp’s Portland, Oregon, residence was temporarily unmasked.

On December 28 a colleague discovered anomalous activity having occurred and a team begins investigating the unauthorized exfiltration of data. Sharp joined this incident response effort.

Sharp as a member of the “incident” team is in position to know what efforts were being undertaken to identify the intruder and attempt to deflect attention away from anything that might point the finger at him. It is alleged that these efforts weren’t passive and that he would adjust logs and shift data in an attempt to hide his role.

Sharp also allegedly lowered the hammer of his personal greed. He sent anonymous ransom emails to senior Ubiquiti employees, demanding bitcoins in exchange for the return of the gigabytes of data and revelation of where the vulnerability within company’s network existed. Sharp would anonymously communicate via Keybase chat with Ubiquiti.

The company demurred on paying the ransom; Sharp allegedly published some of the content online.

On 29 January, Sharp wipes and resets his computer.

On 24 March, the FBI arrives at Sharp’s residence to execute a search warrant and interview Sharp. Sharp dissembles during his interview with the FBI special agents. Sharp doesn’t realize it, but it wasn’t the first rodeo for the special agents of the FBI.

“Righteous whistleblower” attempts to derail investigation

With the extortion effort fizzled and the FBI having interviewed him, Sharp allegedly attempted to further obfuscate his criminal conduct. He attempted to rebrand himself, albeit anonymously, as a member of the remediation team who as a righteous whistleblower must share information. Sharp allegedly sends out emails to both media and regulatory entities with false information designed to paint the company as hip-deep in a cover up of “catastrophic” proportions. The emails painted Ubiquiti as undertaking a full-blown coverup. The allegations were plausible and thus the printing presses began to churn. The headlines in March and April 2021 were merciless.  

  • The Verge - “Ubiquiti is accused of covering up a ‘catastrophic data breach – and it’s not denying it”
  • KrebsonSecurity – “Whistleblower: Ubiquiti Breach ‘Catastrophic’”
  • Lightreading – “Ubiquiti’s latest hack highlights trouble security path for operators”
  • Bleeping Computer – “Ubiquiti cyberattack may be far worse than originally disclosed”

The effect was predictable, as detailed in the indictment, the value of Ubiquiti fell 20% causing a loss of over $4 billion in market capitalization value.

Ubiquiti’s response: Investigate and prosecute

To its credit Ubiquiti stuck to its guns and allowed the process to proceed. Its forensics showed what had occurred on their network: The SurfShark VPN and the Sharp IP addresses as being one and the same.

Turning the incident over to the FBI for investigation and the Department of Justice for prosecution ensures the wheels of justice are given the opportunity to turn. And turn they did. On November 18, 2021, the grand jury returned an indictment, which was sealed and only upon Sharp’s arrest December 1 was it unsealed. His conditions for release include no device or internet access without U.S. Pretrial Services approval, and his travel is limited to Oregon and to the Southern District of New York for trial without prior approval.

Nikolas Sharp is to appear in court on December 15, 2021.

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline