Former Ubiquiti employee Nickolas Sharp has admitted in court to abusing company-provided credentials to steal data and then attempting to extort the company, the Department of Justice announced.
Sharp, 37, of Portland, Oregon, worked at the New York City-based IoT device maker between August 2018 and April 2021, as a senior developer who had access credentials for Ubiquiti’s AWS and GitHub servers.
In December 2020, he abused his administrative credentials to download confidential data using the Surfshark VPN to hide his IP address. However, during an outage at his home, the IP address became unmasked, court documents reveal.
To hide his unauthorized activity, Sharp modified log retention policies and other files.
In January 2021, Ubiquiti alerted users of a data breach at one of its third-party cloud providers, saying that it had no indication of user data being accessed during the incident.
Around the same time, Sharp, who was helping with the investigation into the data breach, sent a ransom note to Ubiquiti, claiming he was an anonymous attacker who had access to the company’s network.
In the ransom note, he was asking the company to pay 50 bitcoin (roughly $1.9 million at the time) in exchange for the stolen data and for revealing the backdoor he purportedly had installed on Ubiquiti’s network. After the company refused to pay, he published some of the stolen data online.
In March 2021, the FBI searched Sharp’s home and seized electronic devices containing evidence of his actions. When confronted with the evidence, Sharp lied about accessing the company’s data without authorization and about purchasing a VPN to hide his activity.
Several days after the search, claiming to be an anonymous whistleblower within Ubiquiti, Sharp provided investigative journalist Brian Krebs with false information about the incident, claiming that a hacker had gained root administrator access to Ubiquiti’s AWS accounts.
In fact, it was Sharp who used credentials he had access to as a Ubiquiti employee to steal company data. The DoJ announced charges against Sharp in December 2021.
The company’s shares fell approximately 20% following the publication of the false information about the incident, causing a loss of $4 billion in market capitalization.
Sharp pleaded guilty to the breach, to wire fraud, and to making false statements to the FBI. If found guilty, he faces up to 35 years in prison. His sentencing is scheduled for May 10, 2023.
The DoJ’s indictment and press release do not mention Ubiquiti specifically, but it’s clear that Sharp admitted to being the perpetrator behind the Ubiquiti incident.
Related: Canadian NetWalker Ransomware Affiliate Pleads Guilty in US
Related: Mexican Businessman Pleads Guilty in U.S. to Brokering Hacking Tools
Related: California Man Pleads Guilty Over Role in $50 Million Fraud Scheme