Insider Threatscritical

Ubiquiti Insider Whistleblower: The Breach Was Worse Than the Company Admitted

A security professional at Ubiquiti who helped handle an incident turned out to be the attacker himself — having used his privileged access to steal data and then extort the company. He later posed as a whistleblower to mislead journalists.

Ubiquiti Networks·2021·2 min read

Background

Ubiquiti Networks disclosed a breach in January 2021. The disclosure described the breach as a third-party cloud provider issue and characterised it as modest in impact. The company's share price dropped but recovered. In March 2021, a whistleblower emerged claiming the breach was far more severe than disclosed.

The Attack

The "whistleblower" — security engineer Nickolas Sharp — had actually been the attacker. Sharp had used his privileged access to Ubiquiti's AWS and GitHub systems to steal gigabytes of data and then plant backdoors. He sent an extortion demand for 50 Bitcoin ($1.9 million). When Ubiquiti declined to pay, he leaked some data to journalist Brian Krebs at Krebs on Security, posing as a whistleblower concerned about Ubiquiti's inadequate response. The FBI traced the attack to Sharp's home IP address — he had briefly disconnected his VPN during the operation, revealing his real location.

Response

The FBI arrested Sharp in December 2021. He pleaded guilty in 2022. Ubiquiti's share price had fallen 20% based on the false whistleblower reports. Sharp was sentenced to six years in prison in 2023. Ubiquiti updated its disclosure to reflect the actual breach scope.

Outcome

The case illustrated that insiders with privileged access can both commit the crime and lead the "response" — concealing their involvement while continuing to use that access. Sharp's brief VPN slip was the only technical error. The manipulation of security journalism via false whistleblowing is a novel attack technique with significant reputational impact.

Key Takeaways

  1. Insider investigations must include the security team members handling the response — they are not automatically above suspicion
  2. VPN usage logs and IP binding in cloud infrastructure audit trails are essential for attribution
  3. Privileged access changes (IAM role modifications, key creation) during an incident investigation should be immediately reviewed
  4. Journalists should be aware that 'whistleblower' sources in security breach stories may have ulterior motives
extortionfalse whistleblowerprivileged accessAWSinsider attacker

More in Insider Threats

2013critical

Edward Snowden and the NSA: The Insider Who Changed the World

2 min readInsider Threats
2010critical

Chelsea Manning: 750,000 Military Documents and Diplomatic Cables Released to WikiLeaks

2 min readInsider Threats
2018high

Tesla IP Theft: Engineer Emails 26,000 Confidential Files Before Joining Competitor

2 min readInsider Threats