Textbook “insider threat” -DOJ Indicts NICKOLAS SHARP Jan 2021 Ubiquiti ransom -deep dive
“…A..Former Employee Of Technology Company Charged With Stealing Confidential Data And Extorting Company For Ransom While Posing As Anonymous Attacker” your STATIC IP gave you away…dolt
What is an “Insider Threat” and why this indictment matters, a lot.
See what happens when I started my week off with my serious RBF and witty retorts “clear you schedule, you made this mess and the cleaning crew is here” all while casting a “laser beams are shooting out of my eyes” kind of side look. And then like magic the 3 pages are ‘86 from the 4th Amendment. I gave them until today at 11AM and like clockwork 11:02AM the LIS system noted a deletion of previous amendment… which means a very happy client and Filey…and freeze up my otherwise busy schedule. As many of you might have read, on December 1, 2021 the USAO-SDNY made a low key announcement.
According to CISA —which defines an “insider threat” as - an individual who uses the knowledge of their employer’s network and other resources — to harm the organization/employer
… The Cyber and Infrastructure Security Agency (CISA) defines insider threat as; the threat that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the Department’s mission, resources, personnel, facilities, information, equipment, networks, or systems…
In simpler terms an “insider threat” often times are later identifiable as a former employee, disgruntled or not…who engage in malicious and harmful behavior 1. Also of note CISA explains the “types” of an insider threat. Principally classified in the following categories:
Unintentional Threats-
Negligence – An insider of this type exposes an organization to a threat through carelessness. Negligent insiders are generally familiar with security and/or IT policies but choose to ignore them, creating risk for the organization.
Examples include allowing someone to “piggyback” through a secure entrance point, misplacing or losing a portable storage device containing sensitive information, and ignoring messages to install new updates and security patches.
Accidental – An insider of this type mistakenly causes an unintended risk to an organization. Organizations can successfully work to minimize accidents, but they will occur; they cannot be completely prevented, but those that occur can be mitigated.
Examples include mistyping an email address and accidentally sending a sensitive business document to a competitor, unknowingly or inadvertently clicking on a hyperlink, opening an attachment that contains a virus within a phishing email, or improperly disposing of sensitive documents.
Intentional Threats -
Intentional threats are actions taken to harm an organization for personal benefit or to act on a personal grievance. The intentional insider is often synonymously referenced as a “malicious insider.” The motivation is personal gain or harming the organization.
For example, many insiders are motivated to “get even” due to unmet expectations related to a lack of recognition (e.g., promotion, bonuses, desirable travel) or even termination.
Their actions include leaking sensitive information, harassing associates, sabotaging equipment, or perpetrating violence. Others have stolen proprietary data or intellectual property in the false hope of advancing their careers.
Other Threats
Collusive Threats – A subset of malicious insider threats is collusive threats, where one or more insiders collaborate with an external threat actor to compromise an organization. These incidents frequently involve cybercriminals recruiting an insider or several insiders to enable fraud, intellectual property theft, espionage, or a combination of the three.
Third-Party Threats – Additionally, third-party threats are typically contractors or vendors who are not formal members of an organization, but who have been granted some level of access to facilities, systems, networks, or people to complete their work. These threats may be direct or indirect threats.
Direct threats are individuals who act in a way that compromises the targeted organization.
Indirect threats are generally flaws in systems that expose resources to unintentional or malicious threat actors
A few real world examples of insider may include the following -subcategory of who could be an actual “insider threat”:
A person the organization trusts, including employees, organization members, and those to whom the organization has given sensitive information and access.
A person given a badge or access device identifying them as someone with regular or continuous access (e.g., an employee or member of an organization, a contractor, a vendor, a custodian, or a repair person).
A person to whom the organization has supplied a computer and/or network access.
A person who develops the organization’s products and services; this group includes those who know the secrets of the products that provide value to the organization.
Additional examples of how an “insider threat” actions could result in theft of intellectual property, unjust enrichment (think insider trading) and other harm/damage…
A person who is knowledgeable about the organization’s fundamentals, including pricing, costs, and organizational strengths and weaknesses.
A person who is knowledgeable about an organization’s short and long term business strategies and goals, entrusted with future plans, or the means to sustain the organization and provide for the welfare of its people.
In the context of government functions, the insider can be a person with access to protected information, which, if compromised, could cause damage to national security and public safety.
…Insider threats present a complex and dynamic risk affecting the public and private domains of all critical infrastructure sectors. This section provides an overview to help frame the discussion of insiders and the threats they pose; defining these threats is a critical step in understanding and establishing an insider threat mitigation program…
In the event you opted for the TL:DR approach - here’s a link to CISA’s Video, it’s about 30 minutes long but it is worth watching…or you can view this 2 minute video…
Ubiquiti data breach orchestrated by Nickolas Sharp a “trusted insider” -DOJ arrested Defendant Sharp
On December 1, 2021 the DOJ-OPA USAO-SDNY announced the arrest NICKOLAS SHARP. In the redacted indictment prosecutors allege that Defendant SHARP secretly stole gigabytes of confidential files from a New York-based technology company where he was employed (“Company‑1”) —Defendant Sharp was a “senior software engineer” and he had credentialed access to servers from various third party vendors, like AWS and GitHub which hosted some of the confidential data.
The January 2021 the Ubiquiti’s data breach was widely reported, but it was the March 2021 Krebs-On-Security Whistleblower: Ubiquiti Breach “Catastrophic” that gave the public a momentary peak behind the curtain —to understand the totality of Ubiquiti Breach… at least according to an anonymous Ubiquiti Whistleblower.
🌶🗃Spoiler -I want you to pay very close attention to the language in the Sparks Indictment and then ask me if I think Sharp was the “anonymously whistleblower”… my retort is, read the last 3 sentences of page 2 and pages 8 thru 12, but specifically paragraph 26 of the indictment …Prosecutors also allege that Defendant SHARP was tasked to remediate the security breach while simultaneously (attempted) extorting of his employer for $2 million to return the very same files he stole.
Defendant Nickolas Sharp Redacted-Indictment for a highlighted and annotated copy of the redacted indictment, can be found on my Scribd Account
Charges in the Indictment
Count one: Computer Fraud and Abuse - Intentionally Damaging Protected Computers in violation of; 18 U.S.C. §§1030(a) (5) (A), 1030(c) (4) (B) (i) , 1030(c) (4) (A) (i) (I) and 2
Count Two: Transmission of Interstate Communications with Intent to Extort -in violation of 18 U.S.C. §875(d) and 2
Count Three - Wire Fraud in violation of 18 U.S.C. §1343 and 2
Count Four - Making False Statement in violation of 18 U.S.C. §1001 and 2
If Defendant Sharp is found guilty on all counts, he is facing a maximum of 37 years in prison. So it shouldn’t be a surprise if in the coming months there’s a plea agreement.
…SHARP subsequently re-victimized his employer by causing the publication of misleading news articles about the company’s handling of the breach that he perpetrated, which were followed by a significant drop in the company’s share price associated with the loss of billions of dollars in its market capitalization.
…SHARP sent a ransom note to Company-1 , posing as an anonymous attacker who claimed to have obtained unauthorized access to Company-l ' s computer networks. The ransom note sought 50 Bitcoin, a cryptocurrency, which is the equivalent of approximately $1.9 million based on the prevailing exchange rate at the time, in exchange for the return of the stolen data and the identification of an existing "backdoor, "
Not a viable whistleblower…
It is really easy for me to criticizes the main-stream-media but allow me to explain why this “anonymous whistleblower” turned out to be a really uncomfortable example of how the MSM didn’t vet their source.
Remember how I previously alluded to the Ubiquiti “anonymous whistleblower” (here, here, and here) the March to May 2021 Tech News published countless stories about what the Anonymous Whistleblower accused Ubiquiti of a “catastrophic breach” ..”covering up how bad the data breach was”…read more here
…the malicious actors responsible for the security incident actually targeted the company and succeeded in gaining read/write access to its databases hosted by Amazon Web Services (AWS)—the alleged “third party” in this story.
…the attacker came into possession of all S3 data buckets, application logs, user database credentials and secrets required to forge Single Sign-On (SSO) cookies, the whistleblower explained in their record
I now draw your attention to the last paragraph on page 2 of the indictment (see SDNY-ECF 2) or you can view via Defendant Nickolas Sharp Redacted-Indictment
…SHARP subsequently engaged in a media campaign to malign Company- l ' s response and disclosures…
…After Company- 1 refused the demand , SHARP published a portion of the stolen files on a publicly accessible online platform. SHARP subsequently engaged in a media campaign to malign Company- l ' s response and disclosures related to the Incident , while concealing his own role, causing Company- 1 to lose billions of dollars in market capitalization value .
Prosecutors then explain how Defendants Sharp planned his attack, numerous overt acts, inserting himself into the remediation team’s efforts to find the source of the cyber security breach.
July 7, 2020 , NICKOLAS SHARP , the defendant , used his personal Paypal, Inc . account to purchase a 27 - month subscription to Surfshark VPN
December 10, 2020 at 3:16AM the Defendant used used his own Company-1 credentials to access a particular key (the "Key") on Company-l ' s infrastructure through AWS servers .
December 10, 2020 at 3:18AM “the attacker connected to
Company-l's AWS infrastructure using a masked IP provided by
the Surfshark VPN . The attacker used the same Key accessed by
NICKOLAS SHARP , the defendant , two minutes earlier to connect
to AWS and to run a command "getcalleridentity."
December 21 , 2020 , at approximately 9:58PM
NICKOLAS SHARP , the defendant;
logged into Company-l' s GitHub infrastructure via a web browser, using his own Company- 1 work
About one minute later, at 9:59PM, prosecutors allege that Defendant Sharp, used the Surfshark VPN that masked his true IP address to connect into GitHub through SSH by using Company- l ' s high- level GitHub Account- 1 . 2 SHARP used the SSH connection to execute a series of commands to clone Company- l's repositories of data to SHARP's computer
On December 22 , 2020 , at approximately 2:55AM -a GitHub Account- 1 received a command to clone another repository from the Sharp IP associated with the Sharp Residence .
Approximately nine minutes later, the clone commands continued from GitHub Account- 1 , once again masked by the Surfshark VPN .
Remember how I said that the largely lauded anonymous whistleblower/source was Defendant Sharp? Well that’s not me pulling that uncomfortable fact out of thin air - it is literally in the redacted indictment. See paragraph 26, which reads in part:
…SHARP caused false or misleading news stories to be published about the Incident and Company- l ' s disclosures and response to the Incident. SHARP identified himself as an anonymous source within Company- 1 who had worked on remediating the Incident . In particular, SHARP pretended that Company-1 had been hacked by an unidentified perpetrator who maliciously acquired root administrator access Company- l ' s AWS accounts.
And lastly I know that some of my readers understand why I consistently point out “MJ” cases versus and/or in conjunction to a criminal complaint or indictment. For Example
United States v. Sharp 3:21-mj-00223 -Federal District Court -Oregon - see DOR-ECF for MJCase docket report or you can pull down the recently run docket report from my Scribd Account
November 30, 2021 (DOCUMENT FILED UNDER SEAL), Documents Received From Other Court as to Nickolas Sharp from Southern District of New York Case No: 21-cr-714 Initial Appearance is set for 12/1/2021 at 01:30PM in Portland by videoconference before Magistrate Judge John V. Acosta.
December 1, 2021 Minutes of Proceedings: Initial Appearance pursuant to Rule 5(c)(3) for Arrest in Our District Offense in Another. Proceedings before Magistrate Judge John V. Acosta as to Nickolas Sharp.
Defendant waived an in-person appearance and consented to appear by video from USM Lockup.
Defendant waived preliminary/identity hearing. Defendant advised of rights and waived reading of the charges.
Order Appointing Counsel: Attorney Ryan Costello is appointed to represent Defendant for today's purposes.
Defendant has hired private counsel for other proceedings.
ORDER - Defendant is released on conditions. (See separate order.) Conditions of notification to employer and monitoring of employer's devices are STAYED.
Defendant and retained counsel are to confer regarding these conditions and are to notify this Court of their position on these issues no later than noon on Monday, December 6, 2021.
December 1, 2021 - Order Setting Conditions of Release as to Defendant Nickolas Sharp. Signed on 12/1/2021 by Magistrate Judge John V. Acosta -see DOR-ECF link or via my Scribd Account
So for now you should mark December 6, 2021 in your calendar because that’s the last docket entry — but to be clear the main Criminal Case is styled as:
United States v. SHARP Criminal Case Number 1:21-cr-00714 -this case is being prosecuted by the USAO-SDNY -here’s an open source link to this case but you’ll notice that ReCap doesn’t have any of the filings uploaded, you have to buy them from PACER ←I can’t wait to stop paying for filings. I mean if you really think PACER is expensive then you’ve clearly never used WestLaw or LexisNexis.
And lastly your daily dose of calm…
“This threat can manifest as damage to the Department through the following insider behaviors:
Espionage, Terrorism, Unauthorized disclosure of information, Corruption, including participation in transnational organized crime, Sabotage, Workplace violence, Intentional or unintentional loss or degradation of departmental resources or capabilities…” last accessed December 1, 2021 https://www.cisa.gov/defining-insider-threats
I personally prefer to obtain the indictment via ECF because as you’ll note there’s a bates-header whereas the DOJ-OPA Link doesn’t have the header
Well dissected - working on my own piece on this one ... GREED and HUBRIS appear to be the motivation
Cyber embezzlement blackmail… this is some serious hubris for Sharp to try to extort a company he worked for, then blame it on hackers and then pretend to be a whistleblower. WTAF??
What does he look like? His linked in profile had been removed.