Former Ubiquiti employee charged with hacking and extorting company
Catalin Cimpanu December 1, 2021

Former Ubiquiti employee charged with hacking and extorting company

Former Ubiquiti employee charged with hacking and extorting company

  • US authorities arrest and charge Nickolas Sharp, 36, from Portland, with hacking Ubiquiti Networks in December 2020.
  • Sharp worked as a software developer in Ubiquiti's Cloud division from 2018 to 2021.
  • He used work AWS and GitHub credentials to access the company's network and download gigabytes of proprietary data.
  • He tried to extort the company for 50 BTC ($2 million) in January 2021 in exchange of the stolen data and details about backdoors and vulnerabilities used in the hack.

An Oregon man and a former employee of Ubiquiti Networks was arrested and charged today with hacking the company’s servers, stealing gigabytes of information, and then attempting to extort his employer for $2 million when Ubiquiti began investigating the breach.

The suspect, arraigned in a courtroom earlier today, was identified as Nickolas Sharp, 36, from Portland, Oregon, where he previously worked as a software engineer in Ubiquiti’s Cloud division from August 2018 to March 2021.

According to an indictment [PDF] unsealed today by the US Department of Justice, Sharp hacked his employer in December 2020 for reasons that are not yet clear.

Sharp modified logs and files to hide intrusion

The FBI said that Sharp used a Surfshark VPN account to hide his real IP address and then proceeded to log into Ubiquiti’s AWS and GitHub accounts using credentials he was assigned at work.

During the course of the hack, officials said that Sharp used his insider access to the company’s network to alter log retention policies and other files in order to hide the intrusion and the subsequent data theft.

However, Ubiquiti eventually discovered the hack, which it formally disclosed to customers via email notifications sent on January 11, 2021.

Ironically, Ubiquiti included Sharp in its incident response team, not knowing at the time that he was the one behind the hack.

According to the DOJ and FBI, during the incident response phase, Sharp sent Ubiquiti an anonymous email asking the company to pay 50 Bitcoin (~$2 million at the time) in exchange for the stolen files and information about backdoors and the vulnerability he used to access their network.

Ubiquiti refused to pay and instead called law enforcement, which eventually identified Sharp as the hacker after linking the attacker’s VPN connection to a Surfshark account purchased with Sharp’s PayPal account. In addition, the VPN connection also failed during the intrusion, temporarily exposing the attacker’s real IP address, which authorities also linked to Sharp.

Authorities said they confronted Sharp with their findings on March 24, when they also searched his home and seized devices, but the suspect denied any wrongdoing and even claimed that someone else might have used his personal PayPal account to pay for the Surfshark VPN used in the attack.

Sharp planted damaging stories in the press

Days after the FBI raided his home, investigators said that Sharp continued his streak of bad decisions and posed as a whistleblower and reached out to news outlets to plant damaging stories about Ubiquiti’s catastrophic hack and its aftermath.

The story, which initially appeared in KrebsOnSecurity on March 30, was later picked up by other major outlets and led to Ubiquiti’s stock falling more than 20%, losing the company more than $4 billion in market capitalization.

Days after, Ubiquiti confirmed the extortion attempt and, knowing by that point that Sharp was behind the hack, hinted to his identity in a statement, claiming that it has “well-developed evidence that the perpetrator is an individual with intricate knowledge of [its] cloud infrastructure.”

The company fired Sharp days later and the suspect now faces 37 years in prison on four separate charges, such as hacking, extortion, wire fraud, and lying to an FBI agent.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.