By Dr Tristan Jenkinson
I have worked on a large number of intellectual property theft and trade secret theft cases (typically referred to as IP theft cases), where employees have stolen confidential data from their employers. Often this is for potential future use – particularly when leaving to join a competitor, or looking to set up their own company in competition.
Some IP theft cases have additional factors that can make them stand out from others. For example where a new employer or third party may have offered encouragement or financial reward, adding a corporate espionage angle, or where state actors may be involved and there are potential geopolitical aspects, or even national security issues to consider.
Last week, an IP theft case in the news caught my eye. Nickolas Sharp was sentenced to six years in relation to stealing data from his employer. The aspect that made this matter more remarkable than others was the usage of the data. While it is not unusual to see stolen data being used to set up new companies in competition, or to gain an advantage at a competitor, the usage here was unusual. Sharp stole the data, and then used it to extort his employers – posing as a hacker who had breached their IT systems and demanding a ransom of nearly $2m to return the data and provide details of the security exploit used to commit the breach. Using his position, Sharp was also able to become part of the team investigating the very data breach that he had executed.
When the company refused to pay the ransom, Sharp published some of the stolen data online. After falling under suspicion, and having his home searched by the FBI, Sharp took a further step – posing as a whistleblowing insider, he made false claims about the response to the breach. Sharp’s claims led to derogatory media reports (including a series of articles on Brian Krebs’ krebsonsecurity.com site over which Ubiquiti sued Krebs for defamation and were subsequently removed), after which $4 billion were wiped off of the value of the company.
While Sharp was sentenced this week, as you would expect the matter has been going on for some time. The original theft of data occurred in (or around) December 2020 with the ransom demand being sent in January 2021. The US Attorney’s Office reported that Sharp was indicted (by a Grand Jury) on 1 December 2021. The indictment itself provides a lot of information on the case. Sharp ultimately pleaded guilty in February.
While Sharp’s employers are not named by the US Attorney’s Office (they refer only to “Company-1”), it has been widely reported that this was Ubiquiti (formerly Ubiquiti Networks) – for example see coverage from the Register here, and from Ars Technica here.
Many of the articles which have been published talk about Sharp’s use of a VPN (Virtual Private Network) in order to hide his online identity when exfiltrating data, highlighting that he was caught because of an internet outage where the VPN did not connect swiftly enough to avoid exposing Sharp’s personal IP address (a unique online address used to identify a specific device on the internet).
While the exposed IP address was certainly key to Sharp’s indictment, it was not the only reason that he was caught. The indictment, as well as the sentencing document provide additional details with a little more background on Sharp’s scheme, how it was perpetrated, and indications on how he was caught.
There are a number of incidents, acting as trails of breadcrumbs, all leading to Sharps involvement.
Breadcrumbs – VPN
As noted above, Sharp used a VPN to disguise his identity during the scheme. The VPN used was Surfshark (noted as number 2 in a recent listing of VPNs used by hackers).
Sharp was found to have purchased a long term (27 month) subscription to Surfshark in July 2020, paying with his personal PayPal account. When he was later asked about this by the FBI, Sharp claimed that someone else must have used his PayPal account to buy the software. This did not tie up with the fact that after purchase, Sharp had downloaded the Surfshark VPN software onto multiple devices, including his mobile phone.
Breadcrumbs – linking personal access to hidden access
Ubiquiti stored code and development files on GitHub (an online storage platform designed for hosting software code). This storage included the code itself, as well as the version histories. As a senior developer, Sharp had access to all, or nearly all the data stored by Ubiquiti on GitHub (as well as other data stored on AWS).
On 10 December 2020 Sharp used his own Ubiquiti login to access a key stored on the Ubiquiti AWS servers. This access was without using a VPN, and Sharp’s home IP address, identifying the specific device used, was logged, in addition to the use of his personal Ubiquiti login.
Just two minutes after accessing the key using his own account details from an unprotected machine, Sharp used the Surfshark VPN to connect to the Ubiquiti AWS servers using the key accessed from his account just minutes before to run commands, apparently hiding his identify using the VPN.
This was not the only time that Sharp would use access that could be traced to him to access information, then immediately using the VPN to utilise that information, apparently whilst hidden.
On 21 December 2020 Sharp used his work account to log into the Ubiquiti GitHub data, viewing the names of repositories of data stored there.
One minute later, the GitHub data was accessed by an account protected by the Surfshark VPN, using credentials used by a number of Ubiquiti developers, Sharp included. The connection used the names of repositories stored on GitHub to take copies of the data stored there, exfiltrating this to Sharps personal storage.
Breadcrumbs – a break in exfiltation and an apparent VPN failure
On 22 December 2020 at approximately 2:16am, the commands running exfiltration of data from the GitHub repositories stopped.
Around the same time, the internet connection at Sharp’s home went down.
At approximately 2:54am, internet connection at Sharp’s home was reconnected. Apparently before the VPN was reconnected, a connection was made from Sharp’s home to the GitHub account, which was unprotected – logging Sharp’s home IP address sending commands to copy the data from the GitHub repositories. Shortly afterwards the VPN was back in place.
Breadcrumbs – suspicious questions
On 23 December 2020, Sharp sent a message to a senior colleague at Ubiquiti, asking if an internal employee at Ubiquiti would be able to claim a “bug bounty” for finding vulnerabilities or discovering lost credentials. The colleague thought that the messages were suspicious, and ensured that they were preserved.
Breadcrumbs – the ransom email
The sentencing document explains that the ransom email that was sent to senior employees at Ubiquiti “was sent through an IP address associated with the Surfshark VPN”. Linking this with the purchase of Surfshark, and the usage of the VPN above linking it to Sharp, again, this would link Sharp to the ransom email.
The above discuss some of the points that led back to Sharp, but it is worth pointing out that while there was evidence identifying him, Sharp had taken steps to try and cover his tracks. These included changing log retention policies to ensure that logs of his actions would not be retained, and worse, editing some logs to remove references to himself, replacing them with links to other members of staff – suggesting that they were utilising the key that he was using for access and placing them under suspicion.
After learning that the FBI were investigating, Sharp wiped the laptop that he used to run the exfiltration – though he kept the machine. The existence of the machine was identified by analysis of Sharp’s router, and later seized by the FBI.
This is certainly an interesting case, with an unusual spin on the usage of stolen company data. Given the effect on the company (a $4 billion loss on market capital), the sentence of six years may seem a little short. Indeed, the prosecuters were seeking 8-10 years. Sharpe himself tried to gain leniency by claiming that his crimes were an “unsanctioned security drill” which improved Ubiquiti’s cyber security.
The additional step of acting as a supposed whistleblower (mis)reporting on the data breach is also an interesting one. Ubiquiti sued Brian Krebs to have his articles removed, which in itself has some interesting aspects, though beyond the scope of this article.
As an investigator it is always interesting (and satisfying) to read about cases where the perpetrator was found, and the case proven. With the potential of new technology lending itself to criminal activity, there is hope that this use of that technology continues to leave traces for investigators to follow.
One thought on “An IP Theft Case With A Difference”