Sometime between December 2020 and January 2021, multinational network device maker Ubiquiti discovered an issue with its cloud network. There was damage to its access log system, making it impossible to track database activities. Initially, the problem seemed rudimentary. But as a precaution, Ubiquiti reset employee credentials and tasked several engineers and developers to fix the snag.

The team soon found a backdoor within the company’s systems, suggesting that the error might not be accidental. Soon after, Ubiquiti’s fears were confirmed – they received a ransom demand.

An Infiltrator in the Network

An anonymous hacker claimed to have stolen gigabytes of data from the company’s AWS and GitHub servers. For a bitcoin ransom of almost $2 million, they promised to return the files. And as a sweetener to the deal, they would also disclose details of another backdoor that was yet to be exploited.

Ubiquiti refused. 

Instead, the company’s threat response team got to work, hunting for evidence of the hacker’s activities. Engineers soon found the backdoor, but the perpetrator had used a virtual private network (VPN) to mask their location. Coupled with the deactivated logs, it was going to be difficult for Ubiquiti to know just who took the data or where it had ended up.

The Hacker Ups the Stakes

Seemingly frustrated by Ubiquiti’s refusal to pay up, the hacker published some of the stolen files on the web. 

Still, Ubiquiti did not surrender. It did, however, have a legal obligation to make a public statement about the hack. “We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider,” the company said in an email to customers that January. “We have no indication that there has been unauthorized activity with respect to any user’s account.”

A Whistleblower Emerges

A handful of months later, doubts about Ubiquiti’s handling of the incident surfaced.

In late March 2021, renowned security writer Brian Krebs published a story featuring input from someone claiming to have played a role in Ubiquiti’s threat response. The individual – pseudonymously known as Adam – alleged the incident was “catastrophically worse” than Ubiquiti had described, and that “customer data was at risk.” 

Adam also told Krebs the hacker had privileged credentials, allowing them broad access to Ubiquiti’s network. The whistleblower also suggested Ubiquiti had not implemented proper database logging protocols, making it impossible for the company to know what data was stolen.

In response to the Krebs on Security report, Ubiquiti claimed experts had determined there was “no evidence that customer information was accessed, or even targeted.” The firm also said it had “well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure.” 

Still, despite the pushback, Ubiquiti’s share price dropped almost 20 percent, wiping more than $4 billion from its market capitalization.

The Unmasking of the Hacker and the Whistleblower

In early December 2021 – approximately a year after the breach of Ubiquiti’s cloud systems – the story took another curious turn: the hacker and Adam the whistleblower were supposedly the same person. And even more intriguing, that individual was allegedly a former Ubiquiti employee who had also played a role in the company’s threat response.

As prosecutors from the Southern District of New York explained, Nickolas Sharp, an Oregonian in his late twenties, had worked for Ubiquiti as a senior developer. Sharp allegedly used his network privileges to download large volumes of data from Ubiquiti’s cloud systems onto his home setup. In order to cover his tracks, Sharp is said to have deliberately altered the company’s log retention policies, as well as other key files. 

As an extra precaution, prosecutors claim Sharp carried out the secretive raids using SurfShark’s VPN service, allowing him to obfuscate his location and identity. However, at some point during these activities, Sharp’s internet connection supposedly dropped out, meaning that, for a brief period, Ubiquiti’s system captured his details.

Using this information, the FBI carried out a search warrant on Sharp’s home in March 2020. According to the indictment against him, Sharp provided the agency with multiple false statements, including a claim that he hadn’t purchased SurfShark VPN despite evidence to the contrary. The prosecutors say it was soon after this event that Sharp tried to turn whistleblower, subsequently damaging the company’s standing with Wall Street.

At the time of writing, Sharp is facing multiple federal charges, though he is yet to be convicted. Therefore, the claims against him remain just that, and Sharp is presumed innocent unless proven otherwise in a court of law. However, while the ex-Ubiquiti developer’s future remains undecided, there’s no reason a company has to leave its fate in the hands of others.

iThreat was Designed to Identify Internal and External Critical Signals

As convoluted as Ubiquiti’s situation might seem, it’s not so unusual for a threat to emerge from within an organization. From disgruntled employees to scheming interlopers, there have been many instances where trust has been weaponized against a firm, causing untold damage to the business. Fortunately for employers, iThreat offers a suite of tools for handling such situations.

With iThreat’s SignalAlert system, companies can monitor for comments and discourse posted across the web that may indicate growing discontent within the ranks or a potential threat is being planned. And thanks to iThreat’s smart analysis and investigative services, it’s possible to sort between harmless chatter and more serious situations, allowing companies to only focus on actionable intelligence.

Of course, should a rogue employee post internal data to the public internet, iThreat’s SignalAlert will quickly identify that information so you can respond. Whether that’s the dark web, internet forums, or even social media sites, SignalAlert will let you know what’s out there and just where to find it before it’s too late.

Get the latest news from iThreat to your inbox

Enter your email below to stay up-to-date on the latest threat intelligence news and resources.

    Email Address
    About iThreat

    About iThreat

    Founded in 1997, iThreat has assisted hundreds of clients with thousands of internet monitoring and investigations, including multiple successful multinational law enforcement operations.

    Learn More
    About iThreat