I wish I was a crime podcast host right now — it’d be my favorite way to tell this tantalizing story about a tech worker hacking his own company, demanding a ransom, and later turning into a ‘whistleblower’ to cover his tracks.
According to a document published by a New York district court, Nikolas Sharp, a former employee of network device maker Ubiquiti, hacked the company’s system and demanded a $2 million ransom. This is just the tip of the iceberg of the story, so let’s unpack what happened.
Who is Nikolas Sharp?
Sharp was a cloud lead at Ubiquiti Networks from August 2018 to March 2021, according to his LinkedIn profile. Prior to this, he worked at companies like Amazon and Nike.
What was the big Ubiquiti security incident?
In January, the company, sent an email to its customers saying that a hacker had gained access to its systems hosted on third-party services —such as AWS — and some customer data including names, email IDs, addresses, and phone numbers may have been exposed. The company, which makes Wi-Fi mesh gears access points primarily for enterprise customers, said it wasn’t aware of any malicious activity on any user’s account.
You can read the full email in the tweet below:
Ubiquiti was breached. Notification emails went out to customers just now. Change your password on your Ubiquiti account pic.twitter.com/pm1ebVbPfS
— Milton Security (@MiltonSecurity) January 11, 2021
At the time of this disclosure, the company wasn’t aware of the hacker’s identity. The fun bit was that Sharp was a part of the team that was investigating the scope of the incident.
What did Sharp actually do?
As a cloud lead, Sharp had access to certain keys to get into the company’s AWS and GitHub repositories. On December 10 last year, he anonymously logged into the company’s AWS account, and a few days later, he accessed the company’s GitHub account. into the GitHub account.
When he gained access to these accounts, he copied some of the company’s sensitive data to his own computer, including more than 155 repositories from GitHub.
On January 7, 2021, the company received an anonymous ransom email stating that if it paid 25 Bitcoins, the hacker would return the stolen data without publishing or using it. The sender also offered to inform the firm about an unprotected backdoor that could have further security implications for another 25 Bitcoins. The total value of 50 Bitcoins at that time was nearly $2 million, but the company didn’t pay that up.
On January 29, Sharp wiped the laptop he used to hack the company’s servers.
How did he get caught?
To mask his identity, Sharp had purchased a license for SurfShark VPN. Court documents suggested that he used this service on multiple devices.
When he was cloning repositories from the company’s GitHub repositories, the power went out at his house, and when he got reconnected, his IP was logged without any protection from the VPN.
That IP address was spotted later during the investigation. In March, The FBI issued a search warrant against Sharp and seized electronics from his house.
The whistleblowing
While the FBI investigation was going on, Sharp allegedly reached out to news organizations as a whistleblower. He told them that Ubiquiti had downplayed the scope and impact of the breach. He also claimed that the company failed to keep records of what accounts were accessing the sensitive data. You can read about Shap’s claims here.
To cover his tracks, Shap had also set auto-deleting commands on logs for AWS, so there would be no trace of activity on the account for more than a day.
So what next?
Sharp has four charges against him including hacking, wire fraud, and extortion, and he could face up to 37 years of prison if all charges are proven. So who’s making a podcast or a limited series on this story?