A Justice Department indictment suggests that the Ubiquiti hack reported in January, and subsequent allegations of a cover-up, were the work of someone who was then an employee of the company. DOJ alleges Nickolas Sharp, 36, was arrested Wednesday on charges of using his employee credentials to upload confidential data and sending anonymous requests to the company he worked for claiming to be a hacker with the aim of obtaining a ransom of 50 Bitcoin. . You can read the full indictment below.
The indictment does not specifically name Ubiquiti, referring only to a “Company-1”. However, all the details align. In January, Ubiquiti sent an email to users saying that an unauthorized party had accessed its “computer systems hosted by a third-party cloud provider.” In March, someone claiming to be a whistleblower called the incident “catastrophic”, alleging that the company could not determine the extent of the attack because it did not keep logs and the attacker had access Ubiquiti’s Amazon web services (AWS servers).
The indictment says the company is based in New York City, which is the case with Ubiquiti, and says the company’s stock price fell about 20% between the 30th and the 31st. March after the incident was announced. According to Yahoo Finance, Ubiquiti’s stock was worth $ 376.78 on March 29 and fell to $ 298.30 on March 31.
Perhaps most notable is the claim that Sharp posed as a whistleblower to the media in late March 2021 – the same time a whistleblower accused Ubiquiti of covering up the seriousness of the data breach, despite the denial. company that user data has been targeted. We also looked at a LinkedIn profile that appears to belong to Sharp and shows him working for Ubiquiti during the period stated in the indictment.
The DOJ alleges that Sharp accessed the company’s Amazon Web Services and Github accounts after applying for a job at another company in December 2020. The indictment says another employee discovered the violation within days after Sharp downloaded “gigabytes” of confidential data and applied AWS policies to limit logging. Sharp was reportedly assigned to the response team tasked with assessing the incident, and the Justice Department said he used that position to try to avoid suspicion.
According to the indictment, Sharp sent an anonymous ransom email that promised not to release the data and help the company fix a backdoor if it was paid 50 Bitcoin by the 10th. January 2021. The DOJ alleges that Sharp released some of the stolen data when the company failed to pay the ransom.
DOJ says it was able to track down Sharp due to a small technical glitch – Sharp reportedly used SurfShark VPN to hide its identity while taking data and sending emails, but “in a fleeting case” its real IP has been identified and recorded as a connection to the company’s GitHub. According to the DOJ, this happened when Sharp’s home internet went down and then reconnected.
According to the indictment, this ultimately led the FBI to execute a search warrant on Sharp’s house, where he denied using SurfShark and said someone else used his PayPal account to purchase. subscription. In a final twist, the indictment says Sharp contacted media masquerading as a whistleblower after the FBI raided his home and seized electronic devices.
If Sharp is found guilty and the DOJ can prove that the incident proceeded as stated in the indictment, it will certainly shed new light on the reports of the Ubiquiti hack. The indictment alleges that Sharp launched the attack using the credentials given to him to do his job. In March, Ubiquiti upheld its claim that attackers did not gain access to customer data, which does not appear to be contradicted by information revealed today.