A US citizen has been arrested in relation to a data breach at his employer that the FBI alleges he orchestrated.
Nickolas Sharp, 36, stands accused of “stealing gigabytes of confidential files” from a New York-based manufacturer of wireless communications products, according to a press release published by the US Department of Justice (DoJ).
The defendant then attempted to extort the firm for nearly $2 million for the return of the stolen data and identification of a ‘backdoor’ into the firm’s computer systems – all the while “purportedly working to remediate the security breach”, the district attorney’s office alleges.
Stock market plunge
Sharp, of Portland, Oregon, later caused “the publication of misleading news articles about the company’s handling of the breach”, after which the company’s stock price plunged by around 20%, wiping more than $4 billion off its market capitalization.
He was arrested yesterday (December 1) in Oregon and was due in court later on the same day.
As an Amazon Web Services (AWS) cloud administrator, Sharp “repeatedly misused” access privileges, which included access to the company’s AWS and GitHub servers, in order to download confidential data in December 2020, according to the indictment.
Then in January 2021, Sharp sent his employer an anonymous ransom note demanding payment of 50 bitcoin – then worth around $1.9 million.
When the company refused to pay up, he allegedly published a portion of stolen files on a publicly accessible online platform.
IP unmasked
Computer systems were also damaged, says the DoJ, when the defendant altered “log retention policies and other files, to conceal his unauthorized activity on the network”.
The FBI alleges that Sharp used the Surfshark virtual private network (VPN) service to mask his IP address.
However, his home IP address was inadvertently exposed following a temporary internet outage at his home that occurred while he was exfiltrating data, says the DoJ.
During a raid on his home in March, in which FBI agents seized electronic devices, Sharp denied that he was the perpetrator or that he had used Surfshark, it also reports.
‘Planted damaging news stories’
Several days later, “Sharp, now posing as an anonymous company whistle-blower, planted damaging news stories falsely claiming the theft had been by a hacker enabled by a vulnerability in the company’s computer systems,” according to Damian Williams, US attorney for the southern district of New York.
Michael Driscoll, assistant director in charge of the FBI’s New York Office, said: “We allege Mr Sharp created a twisted plot to extort the company he worked for by using its technology and data against it. Not only did he allegedly break several federal laws, he orchestrated releasing information to media when his ransom demands weren’t met.
“When confronted, he then lied to FBI agents. Mr Sharp may have believed he was smart enough to pull off his plan, but a simple technical glitch ended his dreams of striking it rich.”
Sharp has been charged on four counts related to intentional damage of computer systems, which carries a maximum jail sentence of 10 years; transmission of an interstate threat, with a potential prison term of up to two years; wire fraud, carrying a maximum penalty of 20 years in prison; and making false statements to the FBI, with the sentence potentially up to five years in prison.
In it press release, the DoJ reiterated that the charges contained in the indictment are merely accusations, and the defendant is presumed innocent unless and until proven guilty.