Ubiquiti Networks, a technological company that had its headquarters in New York, that produced and marketed equipment related to wireless communications, and that had shares that were traded on the New York Stock Exchange at all periods that were pertinent to the Indictment. NICKOLAS SHARP worked for Ubiquiti Networks from about August 2018 to approximately April 1, 2021. His employment ended on that date. SHARP was a senior developer at the company and had access to the server credentials for Amazon Web Services (“AWS”) and GitHub Inc. (“GitHub”).
In the vicinity of December 2020, SHARP committed many acts of administrative access abuse in order to obtain terabytes of secret material from his workplace. When SHARP accessed Ubiquiti Networks AWS and GitHub infrastructure without authorization, he masked his Internet Protocol (IP) address by using a virtual private network (VPN) service that he had subscribed to from a company known as Surfshark. This service enabled him to conceal his IP address for the majority of the cybersecurity incident that we will refer to hereafter as “the Incident.” During the process of exfiltrating the data from Ubiquiti Networks, SHARP’s home IP address was revealed at one point during a brief interruption in internet service at SHARP’s residence.
In the course of the Incident, SHARP caused damage to Ubiquiti Networks computer systems by modifying log retention rules and other files in an effort to hide the illegal activity he was doing on the network. While working on a team to mitigate the effects of the Incident in or around January 2021, SHARP posed as an unknown attacker and sent a ransom note to Ubiquiti Networks. In the note, SHARP claimed to have gained unauthorized access to Ubiquiti Networks computer networks and demanded a payment in exchange for the data. The ransom note demanded the payment of 50 Bitcoin, a cryptocurrency, which at the time was equivalent to approximately $1.9 million based on the prevailing exchange rate. This payment was to be made in exchange for the return of the data that had been stolen as well as the disclosure of a supposedly hidden “backdoor” or other vulnerability in Ubiquiti Networks computer systems. When Ubiquiti Networks did not comply with the demand, SHARP made a part of the stolen material available on an internet site that was open to the general public.
FBI agents carried out a search warrant at the house of SHARP in Portland, Oregon, on or around March 24, 2021, and took possession of a number of electronic devices that belonged to SHARP as a result of the search. During the course of the execution of that search, SHARP made a number of false statements to FBI agents. These statements included, among other things, in substance, that he was not the perpetrator of the Incident and that he had not used Surfshark VPN prior to the discovery of the Incident. SHARP was arrested and charged with making false statements to federal agents. When confronted with records showing that SHARP purchased the Surfshark VPN service in July 2020, approximately six months prior to the Incident, SHARP falsely stated, in part and substance, that someone else must have used his PayPal account to make the purchase. The records showed that the purchase was made approximately six months before the Incident.
Following the execution of the search warrant at SHARP’s house by the FBI several days later, SHARP ordered fake news articles to be published concerning the Incident as well as Ubiquiti Networks reaction to the Incident and associated disclosures. SHARP was responsible for these false news reports. SHARP represented himself in those reports as a confidential whistleblower working for Ubiquiti Networks who had contributed to the investigation and resolution of the Incident. In particular, SHARP made a false accusation that Ubiquiti Networks AWS accounts had been compromised by a hacker who remained anonymous and who had fraudulently obtained root administrator access to Ubiquiti Networks accounts. In point of fact, as SHARP well knew, SHARP had taken Ubiquiti Networks data by using credentials to which he had access in his role as Ubiquiti Networks AWS cloud administrator, and SHARP had used those credentials in an unsuccessful attempt to extort Ubiquiti Networks for millions of dollars. SHARP had used the data in an attempt to blackmail Ubiquiti Networks into paying SHARP millions of dollars.
The Southern District of New York’s US Attorney, Damian Williams, said that Nicholas Sharp pleaded guilty to many federal charges today in Manhattan federal court in connection with a strategy he used to take terabytes of classified data from a publicly traded technology business where he worked (Ubiquiti Networks) in secret. While SHARP was ostensibly trying to fix the security breach that had occurred at Firm-1, the company was blackmailed by SHARP for approximately two million dollars for the return of the data and the discovery of a stated vulnerability that had not yet been fixed. Following this, SHARP re-victimized his employer by instigating the release of fraudulent news pieces regarding the company’s treatment of the breach that he had committed. These articles were followed by the loss of nearly $4 billion in market value for Ubiquiti Networks. In front of United States District Judge Katherine Polk Failla, SHARP entered a guilty plea to the charges of willfully destroying a protected computer, committing wire fraud, and giving false statements to the Federal Bureau of Investigation (“FBI”).
The United States Attorney for the District of Columbia, Damian Williams, was quoted as saying, “Nicholas Sharp’s firm entrusted him with private information that he abused and held for ransom.” To add insult to injury, when Sharp’s ransom demands weren’t satisfied, he responded by forcing bogus news items to be published about the firm. As a direct consequence of his actions, the market valuation of his company dropped by more than $4 billion. The guilty plea that Sharp entered today assures that he will be forced to confront the repercussions of the damaging acts he has taken.
SHARP, age 37, from Portland, Oregon, entered a guilty plea today to one count of delivering a software to a protected computer that deliberately caused harm, one count of wire fraud, and one count of giving false statements to the FBI. All three charges stem from the same incident. A cumulative maximum term of 35 years in prison may be imposed for these crimes.
The maximum possible punishments are those that have been specified by Congress. These sentences are presented here for informative reasons only, since the court will ultimately decide the defendant’s sentence in every case.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.