Ubiquiti hack may have been an inside job, federal charges suggest

The image is by Alex Castro.

The Ubiquiti hack was the work of someone who was an employee of the company, according to an indictment from the Department of Justice. Nickolas Sharp was arrested on Wednesday on accusations that he used his employee credentials to download confidential data and send anonymous demands to the company he worked for in an attempt to get 50 Bitcoins. The full indictment can be found below.

The indictment only refers to a company called Company-1. The details line up. In January, Ubiquiti sent an email to users saying that an unauthorized party had accessed its information technology systems hosted by a third party cloud provider. In March, someone claimed that the company couldn't tell the full extent of the attack because it wasn't keeping logs and that the attacker had access to Ubiquiti's Amazon Web Services.

The indictment says the scheme fell apart because of a hiccup.

The indictment states that the company is based in New York, and that the stock price of the company fell by 20 percent after news of the incident broke. On March 29th, Ubiquiti's stock was worth $376.78, but it fell to $298.30 by March 31st.

Sharp posed as a whistle blower to media outlets in late March 2021, the same time a whistle blower accused Ubiquiti of covering up the data breach's severity, despite the company's denial that user data was targeted. We saw a profile on the professional networking site that appears to belong to Sharp and shows him working for Ubiquiti during the time period listed in the indictment.

The DOJ alleges that Sharp accessed the company's accounts after applying for a job at another company. The indictment says that another employee discovered the breach days after Sharp downloaded a lot of confidential data and applied policies to limit logging. The DOJ says Sharp tried to avoid suspicion by being assigned to the response team meant to assess the incident.

The FBI searched Sharp's house.

The indictment states that Sharp sent an email that promised not to publish the data and to help the company patch a back door if he was paid 50 Bitcoins by January 10th, 2021. The DOJ claims that Sharp released some of the data when the company didn't pay the ransom.

The DOJ says that it was able to track down Sharp because of a tiny technical glitch, which he used to mask his identity while taking data and sending emails. The DOJ says that this happened when Sharp's home internet went down.

The FBI searched Sharp's house after he denied using SurfShark and said someone else used his account to purchase the subscription. The indictment says that Sharp contacted media outlets posing as a whistle blower after the FBI searched his home and seized electronic devices.

If the DOJ can prove that the incident unfolded as described in the indictment, it will cast a new light on the reports of the Ubiquiti hack. The indictment claims that Sharp started the attack using credentials he had been given. In March, Ubiquiti said that attackers didn't access customer data, which doesn't appear to be different from the information revealed today.