According to the indictment (PDF), Sharp stole gigabytes of confidential data from Ubiquiti’s AWS (on December 10, 2020) and GitHub (on December 21 and 22, 2020) infrastructure using his cloud administrator credentials, cloning hundreds of GitHub repositories over SSH. Throughout this process, the defendant tried hiding his home IP address using Surfshark’s VPN services. However, his actual location was exposed after a temporary Internet outage. To hide his malicious activity, Sharp also altered log retention policies and other files that would have exposed his identity during the subsequent incident investigation. “Among other things, SHARP applied one-day lifecycle retention policies to certain logs on AWS which would have the effect of deleting certain evidence of the intruder’s activity within one day,” the court documents read.
After Ubiquiti disclosed a security incident in January following Sharp’s data theft, while working to assess the scope and remediate the security breach effects he also tried extorting the company (posing as an anonymous hacker). His ransom note demanded almost $2 million in exchange for returning the stolen files and the identification of a remaining vulnerability. The company refused to pay the ransom and, instead, found and removed a second backdoor from its systems, changed all employee credentials, and issued the January 11 security breach notification. After his extortion attempts failed, Sharp shared information with the media while pretending to be a whistleblower and accusing the company of downplaying the incident. This caused Ubiquiti’s stock price to fall by roughly 20%, from $349 on March 30 to $290 on April 1, amounting to losses of over $4 billion in market capitalization.