Cyber Crime: Insider Fraud & Extortion — The Sharp Case

In December 2021, The U.S. Department of Justice (DOJ) announced alleged insider computer fraud impacting a redacted New York-based technology company (Ubiquiti listed as Company-1) by over $4B in market capitalization. [1] The DOJ in coordination with the Federal Bureau of Investigation (FBI) charged Nickolas Sharp with four counts primarily related to alleged Computer Fraud and Abuse under the Title 18, U.S. Code (section 1030) relating to “Fraud and related activity in connection with computers.”[2, p. 1] As alleged, Mr. Sharp used his corporate access and insights to exfiltrate credentials, to export GitHub repositories (repos), extort his company as a purported ransomware actor, and ultimately blacken Ubiquiti’s handling of the “cybersecurity incident” for which he was a member of the cybersecurity incident response team (CIRT).[1] These deceitful acts illustrate the importance of maintaining and maturing human-centric security programs like insider threat (InT).

Zero trust starts with people and leveraging people as sensors is an easy way to start to improve human-related risk.

The Sharp case comprises of over a dozen discrete actions or outcomes from August 2018 through to his termination and arrest in April 2021. Each of the discrete actions and outcomes could have provided indicators [i] that a high-functioning InT program would probably have detected. While this case highlights significant gaps in technical controls, it also exposes administrative controls absent from Ubiquiti’s security program. As alleged, Mr. Sharp fraudulently accessed keys that were used to unlock user-credential pairs through a relatively basic deceptive technique using a Virtual Private Network (VPN) to mask his location and Internet Protocol (IP) address. According to a recently unsealed indictment, Mr. Sharp used Secure Socket Shell (SSH) protocol to remotely access and replicate gigabytes of confidential source code for Ubiquiti’s technology program.

Data loss prevention or even network intrusion detection system countermeasures may have picked up on the exfiltration of data from the Github repos. The governance, risk, assurance, and compliance (GRAC) components of Ubiquiti likely overlooked the risk accepted by assuming their security technology or partner’s technology (AWS) solution was in place with an active technology-informed, human decision-making process. The unsealed indictment is not clear as to how Ubiquiti’s Third-party risk management (TPRM) played into the detections or if they were unveiled through an active InT team hunting and sharpening their indicators.[1] When Mr. Sharp allegedly masqueraded as a ransomware criminal, was Ubiquiti’s cyber threat intelligence (CTI) program activated or did they work with an Information Sharing and Analysis Center (ISAC) to fingerprint and assess the veracity of the claim? Did the extortion serve as the tripwire leading to the computer fraud, wire fraud, and interstate intention to extort acts? [4]

The Sharp case illuminates the importance of having an interconnected all-hazards security program that benefits from an integrated cybersecurity program. Mature InT programs rely on an agile GRAC series of procedures, a TPRM program prioritizing critical vulnerabilities, an active CTI program, a threat-driven security technology program, and an integrated administrative mechanism. The role Sharp played on the CIRT having gone undetected is as much a culture and employee experience failure, but it is not uncommon. Zero trust starts with people and leveraging people as sensors is an easy way to start to improve human-related risk.

[i] Indicators and detectors are defined applying the MITRE Insider Threat Model. Indicators are the characteristics from known bad insiders that are distinct from the behaviors of the wider population within the organization. Detectors describe how to unobtrusively observe the data-driven indicators in cyber, physical, human, and organizational sensors available to Insider Threat/Risk Programs. [3]

References:

[1] Department of Justice, “Nickolas Sharp Indictment Redacted | 21 CRIM 714 SDNY,” Nov. 18, 2021. https://www.justice.gov/usao-sdny/press-release/file/1452706 (accessed Mar. 18, 2023).

[2] “U.S. Code: Title 18. CRIMES AND CRIMINAL PROCEDURE,” LII / Legal Information Institute. https://www.law.cornell.edu/uscode/text/18 (accessed Sep. 02, 2021).

[3] “MITRE Insider Threat Research & Solutions |.” https://insiderthreat.mitre.org/ (accessed Mar. 18, 2023).

[4] “Former Employee Of Technology Company Charged With Stealing Confidential Data And Extorting Company For Ransom While Posing As Anonymous Attacker,” Dec. 01, 2021. https://www.justice.gov/usao-sdny/pr/former-employee-technology-company-charged-stealing-confidential-data-and-extorting (accessed Mar. 18, 2023).