Nickolas Sharp, a former Ubiquiti employee who led the network device maker’s cloud team, today pleaded guilty to stealing gigabytes of files from Ubiquiti’s network and attempting to extort his employer while posing as an anonymous hacker and whistleblower.

“Nickolas Sharp’s company entrusted him with confidential information which he exploited and held for ransom,” said US attorney Damian Williams. said Thursday.

“Adding insult to injury, when Sharp failed to receive his ransom demands, he retaliated by causing false information about the company to be published, which caused his company’s market capitalization to plummet further. $4 billion.”

Sharp was arrested and charged with data theft and attempted extortion on December 1, 2021.

Billions of dollars in losses after inventory decline

Ubiquiti revealed a security incident in January 2021 following the theft of data from Sharp. While working to assess the extent of the incident and remediate the effects of the security breach as head of the company’s cloud, the accused also attempted to extort Ubiquiti while making himself impersonate an anonymous hacker.

The ransom note demanded 50 bitcoins (approximately $1.9 million at the time) in exchange for exposing the vulnerability used to breach the network and returning the stolen files.

Ubiquiti refused to pay and instead changed all employee credentials, discovered and disabled a second backdoor from its systems, and issued a security breach notification on January 11.

After the extortion attempt failed, Sharp shared information regarding the incident with the media while impersonating a whistleblower, accusing Ubiquiti of downplaying the breach.

Therefore, Ubiquiti share price fell nearly 20%which resulted in financial losses of over $4 billion in market capitalization.

On April 1, the company confirmed that it was the target of an extortion attempt following the January breach with no indication that customer accounts were affected after Sharp (as whistleblower) challenged Ubiquiti’s statement and said the impact of the incident was huge.

Sharp also claimed that Ubiquiti had no logging system that would have prevented them from verifying that systems or data had been accessed by “the attacker”. However, his claims are consistent with Justice Department information about his tampering with company logging systems.

Even though the DOJ has not yet named Sharp’s employer in the indictment or press releases regarding this case, the details dovetail nicely with Sharp LinkedIn Account and previous info on the breach of Ubiquiti.

Exposed by internet outage

Sharp stole confidential files from Ubiquiti’s AWS infrastructure (December 10, 2020) and GitHub repositories (December 21 and 22, 2020) using its cloud administrator credentials and cloning hundreds of repositories via SSH, according to the indictment [PDF].

While stealing the data, he tried to hide his personal IP address using the Surfshark VPN service, but his location was revealed after a temporary internet outage.

In further efforts to hide its malicious activity, Sharp also changed retention policies for Ubiquiti’s server logs and other files that would have revealed its identity during the investigation of the incident.

“Among other things, SHARP applied one-day lifecycle retention policies to certain logs on AWS, which would have the effect of removing some evidence of intruder activity within a day,” the report says. court documents.

Sharp’s charges carry a maximum sentence of 37 years in prison if convicted. He is due to be sentenced on May 10 by US District Judge Katherine Polk Failla.