Attacker unmasked by VPN flubs charged with Ubiquiti hack

Attacker unmasked by VPN flubs charged with Ubiquiti hack

A veritable barn-stormer of an insider threat story has recently come to light.

A former employee of Ubiquiti Networks, Nickolas Sharp, has been arrested and charged for allegedly hacking company servers, stealing gigabytes of information, and then rounding it all off with a splash of extortion. This took place in December of last year, but there’s no clear reason (yet) for why he did any of it.

The alleged perpetrator might have gotten away with it too, but for several disastrous choices which ultimately led to their downfall.

Covering his tracks

Sharp clearly put some thought into the attack. Many people would perhaps just blunder across the network, leaving large but unintentional “It was me” footprints all over the place. Not so here… he made use of his network access to alter logs and more, throwing a blanket over what was actually taking place. Cleverly, he used a VPN to hide his details while doing this.

He probably thought he’d gotten away with it. However, breaches do get discovered eventually. The clock was ticking. The question was: Had he done enough?

The answer was no, he hadn’t.

Finding himself on the incident response team investigating his own attack(!), he’s alleged to have threatened to release data stolen from his employer if a ransom demand for 50 bitcoin (roughly $2 million when this all took place) wasn’t paid. According to the US Department of Justice, he then released some of the files when the ransom wasn’t forthcoming. None of this is really conducive to keeping a low profile, and the wheels started to come off.

Anonymous—up to a point

If you’re up to no good and relying on anonymity to protect you, even the slightest connection to your real life can bring the whole scheme crashing down.

Sharp’s attempts to avoid detection apparently rested with his use of a VPN. This, in theory, would keep his real IP address hidden. Law enforcement had other ideas, working out a connection between the VPN account used to attack Ubiquit and one used to create Sharp’s PayPal account.

The real kicker is that when his home internet briefly went down, so too did the VPN, and his real IP showed up as connecting to the previously mentioned workplace Github account.

From bad, to worse, to even worse than that

A visit from law enforcement might deter most people from further antics. If it were me, I’d cut my losses and keep a very low profile. However, this story was made for further antics. The Department of Justice claims the alleged perpetrator posed as a company whistleblower after the FBI had searched his home. This “whistleblower” routine took the form of stories potentially damaging to the Ubiquiti Networks organisation.

This is, frankly, an astonishing chain of events. Especially considering this hack had such a big impact on stock. It remains to be seen what, exactly, would drive someone to this sort of self-destructive cavalcade of disaster. For now, you’ll have to make do with the indictment (PDF).

When insiders attack

We’ve talked about the harms caused by insider threats many times on this blog. Problems can arise from disgruntled employees who’ve gone past the point of no return with scores to settle. Ex-employees who didn’t have their access to systems revoked can be a problem. Even the humble printer can become a battleground for keeping certain types of special paper out of easy reach. Even the FBI aren’t safe from such events.

It’s not possible to eliminate this issue completely, unfortunately. On the bright side, we can see that even in a case as severe as the Ubiquiti attack, the long arm of the law can catch up with criminals eventually—no matter how well prepared they think they are.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.