[TheRecord] Former Ubiquiti employee charged with hacking and extorting company

An Oregon man and a former employee of Ubiquiti Networks was arrested and charged today with hacking the company’s servers, stealing gigabytes of information, and then attempting to extort his employer for $2 million when Ubiquiti began investigating the breach.

The suspect, arraigned in a courtroom earlier today, was identified as Nickolas Sharp, 36, from Portland, Oregon, where he previously worked as a software engineer in Ubiquiti’s Cloud division from August 2018 to March 2021.

According to an indictment [PDF] unsealed today by the US Department of Justice, Sharp hacked his employer in December 2020 for reasons that are not yet clear.

Sharp modified logs and files to hide intrusion

The FBI said that Sharp used a Surfshark VPN account to hide his real IP address and then proceeded to log into Ubiquiti’s AWS and GitHub accounts using credentials he was assigned at work.

During the course of the hack, officials said that Sharp used his insider access to the company’s network to alter log retention policies and other files in order to hide the intrusion and the subsequent data theft.

However, Ubiquiti eventually discovered the hack, which it formally disclosed to customers via email notifications sent on January 11, 2021.

It seems that someone accessed to @Ubiquiti data hosted in a cloud provider and is asking for password reset to their customers /cc @campuscodi pic.twitter.com/fr7GFjdhnE

— pcsecz (@pcsecz) January 11, 2021

Ironically, Ubiquiti included Sharp in its incident response team, not knowing at the time that he was the one behind the hack.

According to the DOJ and FBI, during the incident response phase, Sharp sent Ubiquiti an anonymous email asking the company to pay 50 Bitcoin (~$2 million at the time) in exchange for the stolen files and information about backdoors and the vulnerability he used to access their network.

Ubiquiti refused to pay and instead called law enforcement, which eventually identified Sharp as the hacker after linking the attacker’s VPN connection to a Surfshark account purchased with Sharp’s PayPal account. In addition, the VPN connection also failed during the intrusion, temporarily exposing the attacker’s real IP address, which authorities also linked to Sharp.

Authorities said they confronted Sharp with their findings on March 24, when they also searched his home and seized devices, but the suspect denied any wrongdoing and even claimed that someone else might have used his personal PayPal account to pay for the Surfshark VPN used in the attack.

Sharp planted damaging stories in the press

Days after the FBI raided his home, investigators said that Sharp continued his streak of bad decisions and posed as a whistleblower and reached out to news outlets to plant damaging stories about Ubiquiti’s catastrophic hack and its aftermath.

The story, which initially appeared in KrebsOnSecurity on March 30, was later picked up by other major outlets and led to Ubiquiti’s stock falling more than 20%, losing the company more than $4 billion in market capitalization.

Days after, Ubiquiti confirmed the extortion attempt and, knowing by that point that Sharp was behind the hack, hinted to his identity in a statement, claiming that it has “well-developed evidence that the perpetrator is an individual with intricate knowledge of [its] cloud infrastructure.”

The company fired Sharp days later and the suspect now faces 37 years in prison on four separate charges, such as hacking, extortion, wire fraud, and lying to an FBI agent.

The post Former Ubiquiti employee charged with hacking and extorting company appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

[TheRecord] US warns of Russian state-sponsored attacks on critical infrastructure

Less than one day after Russia and the US held bilateral talks ​​over the deployment of troops near Ukraine, US intelligence and law enforcement agencies issued a warning to critical infrastructure operators about threats from Russian state-sponsored hackers. The alert, jointly authored by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and […]

Read More

[ThreatPost] LinkedIn’s 1.2B Data-Scrape Victims Already Being Targeted by Attackers

All posts, ThreatPost

A refined database of 88K U.S. business owners on LinkedIn has been posted in a hacker forum. Source: Read More (Threatpost)

Read More

[ESET] Week in security with Tony Anscombe

All posts, ESET feed

New ESET Threat Report is out – Cybersecurity Awareness Month begins today – What organizations should do to secure their VPNs The post Week in security with Tony Anscombe appeared first on WeLiveSecurity Source: Read More (WeLiveSecurity)

Read More