Arrest Points to Ubiquiti Breach Being an Inside JobDOJ: If Convicted, the Former Employee Could Face a 37-Year Prison Term
A former employee of a New York-based technology company has been arrested for stealing confidential data and extorting his employer for nearly $2 million, according to the U.S. Department of Justice.
Charges against Nickolas Sharp, 36, of Portland, Oregon, include transmitting a program to a protected computer to intentionally cause damage, transmitting an interstate threat, wire fraud, and making false statements to FBI agents, the statement says. If convicted, Sharp faces up to 37 years in prison.
While the DOJ statement does not identify the victim, the timeline of events aligns with that of the January Ubiquiti breach. Corroborating the speculation is a LinkedIn account, which appears to be Sharp's, placing him as an employee at the IoT device manufacturer at the time of the breach. Multiple media reports also identify Ubiquiti as the victim.
The U.S. company did not respond to Information Security Media Group's request for additional information and comments.
In January, Ubiquiti disclosed that its information technology systems, which were hosted by a third-party cloud provider, had been accessed by an unauthorized party. No unauthorized activity with respect to any user’s account was detected, the company said.
Ubiquiti said that the attacker had threatened to post the source code and IT credentials that were allegedly compromised during the incident and had attempted to extort the company (see: Ubiquiti Acknowledges Extortion Attempt).
Ubiquiti made this revelation in March, in response to a Krebs on Security article that cited "Adam," a whistleblower at the technology company, as saying that the cyber incident was "much worse" than what Ubiquiti was letting on. "Adam," the article said, had been involved in the "catastrophic" attack's investigation and found that the attacker had gained full read-write access to the company's databases.
In its latest statement, the DOJ says that the FBI searched Sharp's home on March 24, 2021, and seized electronic devices.
Employed in the company from August 2018, the senior developer had access to credentials for its AWS and GitHub servers, the DOJ reports. In December, he misused those credentials to access and download gigabytes of confidential data from his employer, the statement says.
The Justice Department also found that Sharp had used a VPN service from a company called Surfshark to mask his IP address when he accessed the company's AWS and GitHub infrastructure, the statement says, adding that Sharp purchased the VPN service in July 2020.
Sharp denied that he had perpetrated the attack and said he had not used Surfshark prior to the discovery of the incident, adding that "someone else must have used his PayPal account to make the purchase." But the FBI found that "at one point during the exfiltration of [the] company's data, Sharp's home IP address became unmasked following a temporary internet outage at Sharp's home," the DOJ says.
Sharp also caused damages to computer systems by altering log retention policies and other files to conceal his unauthorized activity on the company network, according to the statement.
And he "caused false news stories to be published about the incident, the company’s response to the incident and related disclosures," the DOJ says. This caused the company’s stock to price drop about 20% between March 30 and March 31, resulting in a loss of over $4 billion in the company's market capitalization, it says.
When Ubiquiti refused to pay Sharp's ransom demand of 50 bitcoin s- or $1.9 million, according to exchange rates in January 2021 - in exchange for the return of the stolen data and the identification of a purported backdoor, Sharp published a "portion of the stolen files on a publicly accessible online platform," the statement says.
"We allege Sharp created a twisted plot to extort the company he worked for by using its technology and data against it. Not only did he allegedly break several federal laws, he orchestrated releasing information to media when his ransom demands weren't met. When confronted, he then lied to FBI agents. Sharp may have believed he was smart enough to pull off his plan, but a simple technical glitch ended his dreams of striking it rich," says Michael J. Driscoll, assistant director in charge of the New York office at the FBI, in the DOJ statement.
The takeaway for organizations is that attackers can come "from inside the house," so it is necessary to take precautions, such as WORM logging, separation of duty and internal MFA, Casey Ellis, founder and CTO of bug bounty and vulnerability disclosure platform Bugcrowd, tells Information Security Media Group.
"It's also a good reminder that, while these controls serve to deter rational or curious insider threats, they can also be tested in anger if an irrational insider threat is in play," he says.
Ellis describes this as a "bizarre case in which the attacker was "overconfident in their ability to commit a technically sophisticated crime ... without getting caught."
Although insider attacks are less frequent than external threat actors, they are devastating when they occur, says Chris Clements, vice president of solutions architecture at cybersecurity firm Cerberus Sentinel.
"With an insider’s knowledge of business operations and legitimate access to systems and data, they can plan their attack to cause maximal damage. They can also leverage what they know to attempt to evade monitoring or controls that would otherwise make identifying the source of an attack more straightforward, such as knowing exactly how long system logs are kept and timing their actions accordingly," says Clements.
With ransomware payments routinely reaching the multimillion-dollar threshold, it’s not hard to imagine that trusted insiders may look for a way to leverage their knowledge into a large payout, he tells ISMG.
Clements also says that a ransomware gang could target an organization’s personnel, promising a cut of a ransom payment in exchange for purposefully opening a malicious email attachment or inserting an infected USB drive.