Nickolas Sharp, a former senior developer at Ubiquiti was arrested for secretly stealing gigabytes of confidential files from the New York-based technology company. After stealing the data, Sharp then tried extorting the company for nearly $2 million for the return of the files and the identification of a remaining purported vulnerability. Sharp subsequently re-victimized his employer by causing the publication of misleading news articles about the company’s handling of the breach that he perpetrated, which were followed by a significant drop in the company’s share price associated with the loss of billions of dollars in its market capitalization.
U.S. Attorney Damian Williams said: “As alleged, Nickolas Sharp exploited his access as a trusted insider to steal gigabytes of confidential data from his employer, then, posing as an anonymous hacker, sent the company a nearly $2 million ransom demand. As further alleged, after the FBI searched his home in connection with the theft, Sharp, now posing as an anonymous company whistle-blower, planted damaging news stories falsely claiming the theft had been by a hacker enabled by a vulnerability in the company’s computer systems. Now the alleged theft and lies have been exposed, and Sharp is facing serious federal charges.”
As a senior developer, Sharp had access to the company’s Amazon Web Services and GitHub Inc servers. In December 2020, Sharp continuously misled his administrative access to download gigabytes of confidential data from his employer. For the majority of this cybersecurity incident, Sharp used a virtual private network service that he subscribed to from a company named Surfshark to mask his Internet Protocol (“IP”) address when he accessed Ubiquiti’s AWS and GitHub infrastructure without authorization. At one point during the exfiltration of Company-1 data, Sharp’s home IP address became unmasked following a temporary internet outage at SHARP’s home.
During the course of the incident, Sharp caused damage to Ubiquiti’s computer systems by altering log retention policies and other files, to conceal his unauthorized activity on the network. In or about January 2021, while working on a team remediating the effects of the incident, SHARP sent a ransom note to Ubiquiti, posing as an anonymous attacker who claimed to have obtained unauthorized access to Company-1’s computer networks. The ransom note sought 50 Bitcoin, a cryptocurrency – which was the equivalent of approximately $1.9 million, based on the prevailing exchange rate at the time – in exchange for the return of the stolen data and the identification of a purported “backdoor,” or vulnerability, to Ubiquiti’s computer systems. After Ubiquiti refused the demand, Sharp published a portion of the stolen files on a publicly accessible online platform. Following the publication of these articles, between March 30, 2021, and March 31, 2021, Ubiquiti’s stock price fell approximately 20%, losing over $4 billion in market capitalization.
Sharp, 36, of Portland, Oregon, is charged in four counts. The first count charges him with transmitting a program to a protected computer that intentionally caused damage, which carries a maximum sentence of 10 years in prison. The second count charges transmission of an interstate threat, which carries a maximum sentence of two years in prison. The third count charges wire fraud, which carries a maximum sentence of 20 years in prison. The fourth count charges the making of false statements to the FBI, which carries a maximum sentence of five years in prison.
Contact ITMG to Develop Strategies and Protocols Designed to Help Your Company Mitigate Your Insider Risk
ITMG is an industry leader in helping organizations throughout the United States strengthen their insider risk management programs and secure sensitive data and intellectual property. Our team of bona fide experts has the real-world experience necessary to plan out and create holistic security solutions tailored to the needs and risks in your industry. Contact ITMG today to learn more about how we can help! You can also visit our Facebook, Twitter, and LinkedIn pages for more updates and insights into the world of insider risk management.