This wasn’t your typical cyberextortion situation.
More precisely, it followed what you might think of as a well-worn path, so in that sense it came across as “typical” (if you will pardon the use of the word typical in the context of a serious cybercrime), but it didn’t happen in the way you would probably have assumed at first.
Starting in December 2020, the crime unfolded as follows:
- Attacker broke in via an unknown security hole.
- Attacker acquired sysadmin powers on the network.
- Attacker stole gigabytes of confidential data.
- Attacker messed with system logs to cover their tracks.
- Attacker demanded 50 Bitcoins (then worth about $2,000,000) to hush things up.
- Attacker doxxed the victim when the blackmail wasn’t paid.
Doxxing, if you’re not familiar with the term, is shorthand jargon for deliberately releasing documents about a person or company to put them at risk of physical, financial or other harm.
When cybercriminals doxx individuals they don’t like, or with whom they they have a score they want to settle, the idea is often to put the victim at risk from (or at least in fear of) a physical attack, for example by accusing them of a heinous crime, wishing vigilante justice on them, and then telling everyone where they live.
When the victim is a company, the criminal intent is usually to create operational, reputational, financial or regulatory stress for the victim by not only exposing that the company suffered a breach in the first place, but also deliberately releasing confidential information that other criminals can abuse right away.
If you do the right thing and report a breach to your local regulator, the regulator won’t demand that you immediately publish details that amount to a guide on “how to hack into company X right now”. If the security hole exploited is later deemed to have been easily avoidable, the regulator might ultimately decide to fine you for not preventing the breach, but will nevertheless work with you at the outset to try to minimise the damage and risk.
Hoist by his own petard
The good news in this case (good for law and order, albeit not for the perpetrator) is that the victim wasn’t quite as gullible as the criminal seemed to think.
Company-1, as the US Department of Justice (DOJ) calls them and we shall too, even though their identity has been widely disclosed on the public record, quickly seemed to have suspected an inside job.
Within three months of the start of the attack, the FBI had raided the home of soon-to-be-ex-senior-coder Nickolas Sharp, then in his mid-30s, suspecting him of being the perpetrator.
In fact, Sharp, in his capacity as a senior developer at Company-1, was apparently “helping” (we use the term loosely here) to “remediate” (ditto) his own attack by day, while trying to extort a $2m ransom payment by night.
As part of the bust, the cops seized various computer devices, including what turned out to be the laptop that Sharp used when attacking his own employer, and questioned Sharp about his alleged role in the crime.
Sharp, it seems, not only told the Feds a pack of lies (or made numerous false statements, in the more dispassionate words of the DOJ) but also went on what you might call a “fake news” PR counter-offensive, apparently hoping to throw the investigation off track.
As the DOJ puts it:
Several days after the FBI executed the search warrant at SHARP’s residence, SHARP caused false news stories to be published about the Incident and Company-1’s response to the Incident. In those stories, SHARP identified himself as an anonymous whistleblower within Company-1 who had worked on remediating the Incident and falsely claimed that Company-1 had been hacked by an unidentified perpetrator who maliciously acquired root administrator access to Company-1’s AWS accounts.
In fact, as SHARP well knew, SHARP himself had taken Company-1’s data using credentials to which he had access, and SHARP had used that data in a failed attempt to extort Company-1 for millions of dollars.
Almost immediately after news broke about the data breach, Company-1’s share price dropped very suddenly from about $390 to about $280.
Although the price might have fallen notably on account of any sort of breach notification, the DOJ report quite reasonably implies (though it stops short of stating as a fact) that this false narrative, as peddled to the media by Sharp, made the devaluation worse than it otherwise would have been.
Sharp pleaded guilty in February 2023; he was sentenced this week to spend six years in prison followed by three years on parole, and instructed to pay restitution of just over $1,500,000.
(He’s also never going to get any of his confiscated computer equipment back, though just how useful that kit would still be if it were returned to him after six years in prison and a further three years on supervised release is anyone’s guess.)
What to do?
- Divide and conquer. Try to avoid situations where individual sysadmins have unfettered access to everything. The additional hassle of requiring two independent authorisations for important system operations is a small price to pay for the additional safety and control it gives you.
- Keep immutable logs. In this case, Sharp was able to mess with system logs in an attempt to hide his own access and to cast suspicions on coworkers instead. Given the speed with which he was caught out, however, we’re assuming that Company-1 had kept at least some “write only” logs that formed a permanent, undeniable record of key system activities.
- Always measure, never assume. Get independent, objective confirmation of security claims. The vast majority of sysadmins are honest, unlike Nickolas Sharp, but few of them are 100% right all the time.
Most sysadmins we know would be delighted to have regular access to a second opinion to verify their assumptions.
It’s a help, not a hindrance, to have critical cybersecurity work double-checked to make sure not only that it was started correctly, but completed correctly, too.
ALWAYS MEASURE, NEVER ASSUME
Short of time or expertise to take care of cybersecurity threat response?
Worried that cybersecurity will end up distracting you from all the other things you need to do?
Take a look at Sophos Managed Detection and Response:
24/7 threat hunting, detection, and response ▶
LEARN MORE ABOUT ACTIVE ADVERSARIES
Read our Active Adversary Report.
This is a fascinating study of real-life attacks by Sophos Field CTO John Shier.