Full Report
In 2020, Ubiquiti, a company that manufactures and sells wireless data communication and wired products, suffered a data breach and an extortion attempt of nearly $2 million at the hands of a senior developer working for the company. The attacker set a 1-day retention policy o...
Analysis Summary
# Incident Report: Ubiquiti Insider Threat & Extortion Incident
## Executive Summary
In late 2020, a senior developer at Ubiquiti leveraged administrative credentials to exfiltrate gigabytes of sensitive data from the company's AWS cloud infrastructure. The attacker then attempted to extort the company for approximately $2 million (50 BTC) while posing as an anonymous whistleblower. The incident resulted in significant reputational damage, a sharp decline in stock value, and the eventual federal prosecution of the insider.
## Incident Details
- **Discovery Date:** December 2020
- **Incident Date:** December 2020 – March 2021
- **Affected Organization:** Ubiquiti Inc.
- **Sector:** Technology / Hardware / Networking
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** December 2020
- **Vector:** Authorized Administrative Access (Insider Threat)
- **Details:** Nickolas Sharp, a senior developer with cloud administrator privileges, used a VPN (Surfshark) to mask his IP and accessed Ubiquiti's AWS and GitHub environments.
### Lateral Movement
- **Details:** Minimal movement was required as the attacker already possessed high-level administrative credentials to the production environments. He utilized his knowledge of internal systems to navigate between AWS S3 buckets and source code repositories.
### Data Exfiltration/Impact
- **Details:** The attacker cloned hundreds of GitHub repositories and downloaded large volumes of data from AWS S3 buckets. After exfiltrating the data, he altered log retention policies (setting them to 1 day) and modified session logs to hide his presence.
### Detection & Response
- **How it was discovered:** Ubiquiti received an extortion email in late December 2020 from an "anonymous hacker" claiming to have breached their systems and demanding 50 BTC.
- **Response actions taken:** Ubiquiti initiated an incident response investigation, notified law enforcement (FBI), and worked with third-party forensics firms. During a temporary home internet outage, the attacker's true IP address was exposed in log files, linking the "hacker" to Sharp.
## Attack Methodology
- **Initial Access:** Valid Administrative Accounts.
- **Persistence:** Maintaining authorized employee credentials.
- **Privilege Escalation:** Not required (Administrative rights already held).
- **Defense Evasion:** Use of Surfshark VPN to hide source IP; tampering with AWS CloudWatch and CloudTrail log retention policies (setting to 1 day).
- **Credential Access:** Utilization of stored SSH keys and AWS IAM credentials.
- **Discovery:** Cloud infrastructure crawling and repository enumeration.
- **Lateral Movement:** Cloud-to-Code-Repository transitions.
- **Collection:** Bulk cloning of Git repositories and S3 bucket downloads.
- **Exfiltration:** Transfer of data to external accounts under the attacker's control.
- **Impact:** Extortion attempt, data theft, and intentional disruption of log integrity.
## Impact Assessment
- **Financial:** Ubiquiti’s stock price dropped approximately 20% (wiping out billions in market cap) after the full scope of the breach was publicized by whistleblowers.
- **Data Breach:** Source code, internal credentials, and potential customer-facing cloud infrastructure configurations.
- **Operational:** Significant internal resources diverted to remediation; permanent loss of certain historical logs due to retention policy tampering.
- **Reputational:** Massive loss of trust after it was revealed the "outside hack" was an inside job and that the company’s initial public statement lacked full context.
## Indicators of Compromise
- **Network indicators:** Connections to AWS management console from Surfshark VPN exit nodes.
- **File indicators:** Mass cloning of GitHub repositories [defanged: github[.]com/ubiquiti/...]
- **Behavioral indicators:** Unusual modification of AWS log retention settings from "Infinite" to "1 Day"; access to sensitive resources outside of normal working hours.
## Response Actions
- **Containment:** Revoking compromised credentials and rotating all internal AWS keys.
- **Eradication:** Identifying and restoring modified log settings; removing the insider's access upon identification.
- **Recovery:** Public disclosure of the incident and cooperation with the Department of Justice for prosecution.
## Lessons Learned
- **Key takeaways:** Insider threats remain one of the most difficult vectors to defend against because they involve trusted identities.
- **What could have been done better:** Monitoring for "configuration drift" (like changes to log retention) could have alerted the team sooner. The assumption that a breach is external can lead to delayed identification of an internal actor.
## Recommendations
- **Implement Tiered Administration:** Use the Principle of Least Privilege (PoLP) to ensure no single developer has full control over both production data and audit logs.
- **Immutable Logging:** Send logs to an isolated, write-once-read-many (WORM) storage account that even cloud admins cannot modify or delete.
- **Anomalous Behavior Detection:** Deploy UEBA (User and Entity Behavior Analytics) to flag bulk data downloads or unusual VPN usage by administrative staff.
- **Separation of Duties:** Require a "two-man rule" for high-impact changes, such as modifying log retention policies or deleting backups.