January 2021, Technology Provider Ubiquiti Inc. [NYSE:UI] Revealed that a breach by a third-party cloud provider revealed the customer account credentials. In March, a Ubiquiti employee warned that the company had drastically reduced the scope of the incident, and that a third-party cloud provider claim was fabricated. On Wednesday, a former Ubiquiti developer was arrested and charged with data theft and attempting to blackmail his employer while impersonating a whistleblower.
Say federal prosecutors Nicholas Sharp, A senior developer at Ubiquiti, actually caused a “violation” that forced Ubiquiti to disclose a cyber security incident in January. They claim that in late December 2020, Sharp applied for a job at another technology company, and then abused his privileged access to Ubiquiti’s systems in Amazon’s AWS cloud service and in the company’s GitHub accounts to download large amounts of proprietary data.
Sharp’s indictment does not specify how much data he allegedly downloaded, but he does say that some of the downloads took hours, and that he cloned about 155 Ubiquiti databases using multiple downloads over almost two weeks.
On December 28, other Ubiquiti employees identified the unusual downloads, which leveraged the company’s internal approvals and Surfshark VPN Connection to hide the downloader’s real web address. Assuming an external attacker had breached his security, Ubiquiti quickly opened an investigation.
But Sharp was a member of the team doing the forensic investigation, the indictment alleges.
“At the time the defendant was part of a team that worked to assess the extent and damage caused by the incident and to correct its effects, all while concealing his role in carrying out the incident,” prosecutors in the Southern District of New York wrote.
According to the indictment, on January 7, a senior Ubiquiti employee received a ransom mail. The message was sent via an IP address associated with the same Surfshark VPN. The ransom message warned that Ubiquiti’s internal data had been stolen, and that the information would not be used or published online as long as Ubiquiti agreed to pay 25 bitcoins.
The email also suggested identifying a seemingly unobstructed “back door” that was used by the attacker for a sum of another 25 bitcoins (the total amount requested was equivalent to about $ 1.9 million at the time). Ubiquiti did not pay the ransom demands.
Investigators say they were able to link the downloads to Sharp and his laptop at work because his Internet connection failed for a short time on several occasions while downloading Ubiquiti data. These interruptions were enough to prevent Sharp’s Surfshark VPN connection from functioning properly – thus exposing its web address as the download source.
When FBI agents raided Sharp’s home on March 24, he claimed he was innocent and told agents that someone else must have used his Paypal account to purchase the Surfshark VPN subscription.
A few days after the FBI carried out its search warrant, Sharp “caused false or misleading news about the incident,” prosecutors say. Among the allegations raised in these articles was that Ubiquiti was negligent in keeping access logs that would allow the company to understand the full extent of the intrusion. In reality, the indictment alleges, Sharp shortened to one day the length of time Ubiquiti’s systems kept certain logs of AWS user activity.
“Following the publication of these articles, from Tuesday, March 30, 2021 to Wednesday, March 31, [Ubiquiti’s] “The share price fell by about 20%, and lost more than four billion dollars in market value,” the indictment reads.
Sharp faces four criminal charges, including network fraud, intentional hacking of protected computers, transferring interstate communications with intent to extort, and false statements to the FBI.
News of Sharp’s arrest was first reported by BleepingComputer, Who wrote that while the Department of Justice did not mention Sharp’s employer in a press release or indictment, all details are consistent with the previous report on the Ubiquiti incident and the information presented on Sharp’s LinkedIn account. Link to the indictment is Here (PDF).