For Hire: Ex-Ubiquiti Developer Charged With Extortion

Dismissed: Ubiquiti's Related Defamation Lawsuit Against Journalist Brian Krebs
For Hire: Ex-Ubiquiti Developer Charged With Extortion
Archived copy of defendant Nickolas Sharp's now-deleted LinkedIn page

Would you trust an IT professional accused of computer crimes?

See Also: Ransomware Response Essential: Fixing Initial Access Vector

That's the challenge posed by one man to two different entities: Australian software development firm Atlassian and cybersecurity blogger Brian Krebs. Atlassian apparently has yet to render a verdict. Krebs has said a belated "no" after seemingly falling into the accused hacker's trap and helping erase billions in market capitalization of networking manufacturer Ubiquiti Inc.

The man behind the conundrum is one Nickolas Sharp, arrested on Dec. 1, 2021, in Portland, Oregon, by federal law enforcement. A four-count indictment in the U.S. Southern District of New York accuses Sharp of stealing gigabytes of data from Ubiquiti - named in court documents only as "Company-1." Sharp's now-deleted LinkedIn page states he worked as a "cloud lead" for Ubiquiti Networks from August 2018 to March 2021. Ubiquiti in a separate lawsuit has stated that Sharp was "the Ubiquiti employee that was behind the cyberattack."

Out on a $750,000 bond secured by his parents' Arizona home, Sharp faces nearly four decades of prison time if found guilty in a trial set to begin Feb. 27.

In the meantime, he's received a job offer.

In an Aug. 18 court filing, Sharp's attorney says his client landed a job with development and collaboration software company Atlassian and requests that the defendant be granted permission "to be gainfully employed at Atlassian during the pendency of our case."

"He would be employed as a 'solutions architect.' He will not be coding," his attorneys say. He would use a workstation with mobile device management controls enabled that include temporarily disconnecting any device that deviates from Atlassian standards.

What Sharp might do with unfettered access to a laptop is the subject of criminal proceedings. While at Ubiquiti, Sharp allegedly attempted to extort the company for 50 bitcoins in return for gigabytes of data he downloaded using administrative access privileges. After the publicly traded company refused to pay a ransom then amounting to $1.9 million, he allegedly went public with a chunk of the files - and planted false stories in the media exaggerating the scope of the breach, causing Ubiquiti's stock to plummet. During that time, Sharp was part of the internal breach remediation team.

The media outlet caught up the most in Ubiquiti coverage was Krebs on Security, which published a March 2021 scoop featuring an alleged whistleblower accusing Ubiquiti of downplaying the breach's severity.

Ubiquiti hotly contested the article, telling users that "we have well-developed evidence that the perpetrator is an individual with intricate knowledge of our cloud infrastructure."

It proceeded to sue Krebs in federal court on March 29, accusing the journalist of doubling down on the false whistleblower narrative despite Sharp's unsealed indictment demonstrating that the Ubiquiti whistleblower and Ubiquiti hacker were one and the same. Krebs wrote about the indictment but took to Twitter to insist that the facts of his March 2021 piece were correct. "Despite overwhelming facts showing that his reporting is pure fiction, Krebs has refused to retract or correct his disinformation campaign against Ubiquiti," the company's complaint says

Defamation Lawsuit: Dismissed

On the question of whether to trust Sharp, Krebs has apparently had a change of heart.

As of Wednesday, links to his previous stories now resolve to a different message.

"As a result of the new information that has been provided to me, I no longer have faith in the veracity of my source or the information he provided to me," Krebs now says. "My sole source for that reporting was the person who has since been indicted by federal prosecutors for his alleged wrongdoing."

Court filings show that Krebs on July 18 signed a settlement term sheet, and on Aug. 2, Ubiquiti transmitted a draft of the settlement agreement back.

A Thursday filing shows the two parties agreed to dismiss the complaint "with prejudice." Whether Krebs and Ubiquiti executed a settlement is unknown.

Krebs didn't respond to a request for comment about whether his source was indeed Sharp - as Ubiquiti clearly alleges in its defamation lawsuit against him - or whether the removal of the blog posts was either due to a settlement agreement or intent to show good will as settlement negotiations proceed.

Ubiquiti also didn't respond to a request for comment.

Meanwhile, the case against Sharp continues.

Sharp Seeks Gainful Employment

Sharp receives unemployment benefits from Oregon while his case continues, and the state obliges him "to continually apply for jobs," his attorney wrote. Federal prosecutors say they're not necessarily opposed to modifying his bail conditions, but they don't think Sharp has been fully forthcoming with Atlassian.

"It appears that the defendant did not explicitly make his new employer aware of the indictment and the specific nature of the charges detailed therein," prosecutors wrote in an Aug. 18 rejoinder.

If Sharp is going to be given access to company data, the company in question should know what it's getting into, prosecutors say.

U.S. District Judge Katherine Polk Failla deferred a ruling until attorneys on both sides of the case can agree on what Sharp should be required to tell his employer.

Atlassian didn't immediately respond to a request for comment, including if it was aware of the charges against Sharp when the alleged job offer was extended to him.

Whether or not it will trust Sharp appears to be an open question, for the moment.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing paymentsecurity.io, you agree to our use of cookies.