The hacker attack disclosed by Ubiquiti in January 2021 was actually conducted by a former employee, according to the Justice Department, which announced charges against the individual on Wednesday.
The US-based communications and IoT device maker informed customers in January that it had suffered a data breach related to a cloud services provider. The company said at the time that it had no evidence of user data being compromised, but couldn’t definitively rule it out, so it advised customers to change their password as a precaution.
In late March, someone claiming to be an Ubiquiti employee involved in investigating the incident contacted cybersecurity blogger Brian Krebs, claiming that the company had downplayed the impact of what they described as a “catastrophic” breach. This led to a significant drop in the value of Ubiquiti shares.
The source told Krebs at the time that the attacker had gained root access to all Ubiquiti AWS accounts, including credentials and other sensitive information.
On Wednesday, the Justice Department announced charges against a former Ubiquiti employee and shared information on what allegedly happened between December 2020 and March 2021.
According to the FBI, 36-year-old Nickolas Sharp of Portland, Oregon, who had been employed by Ubiquiti since August 2018, was behind the “hack.” He apparently simply misused his administrative access to download gigabytes of confidential data from the company’s GitHub and AWS servers.
Sharp was assigned to the team investigating the apparent breach and, in January, he sent Ubiquiti a ransom note claiming to be an anonymous hacker and threatening to leak the stolen information unless he was paid 50 bitcoin — worth roughly $1.9 million at the time.
Authorities also claim that Sharp was the “whistleblower” who reached out to Brian Krebs in late March to claim that the breach had been more serious than Ubiquiti admitted.
Before Krebs published his article in late March, the FBI executed a search warrant at Sharp’s home in Portland. The FBI had identified him based on an IP address and a PayPal account. The unauthorized access to Ubiquiti systems was done though the Surfshark VPN, but the Surfshark subscription had been purchased with a PayPal account registered to Sharp. In addition, at one point, an internet outage at Sharp’s home caused a problem with Surfshark, which resulted in his real IP address being used to access Ubiquiti systems.
When Ubiquiti issued a statement in response to Krebs’ article, the company said it had evidence that someone with “intricate knowledge” of its cloud infrastructure had been the perpetrator.
Sharp has been charged with transmitting a program to a protected computer that intentionally caused damage, transmission of an interstate threat, wire fraud, and making false statements to the FBI. Each of these charges carry a maximum prison sentence ranging between two and 20 years.
It’s worth noting that Ubiquity is not actually named in the DoJ’s indictment or press release, but it’s clear that the charges are related to the Ubiquiti hack.