Ubiquiti has filed a lawsuit against intrepid security journalist Brian Krebs for defamation stemming from his coverage of the Ubiquiti breach that took place in 2020.
Ubiquiti Inc. files this defamation action because blogger Brian Krebs falsely accused the company of “covering up” a cyberattack by intentionally misleading customers about a so-called data “breach” and subsequent blackmail attempt in violation of federal law and SEC regulations. The opposite is true: Ubiquiti promptly notified its customers about the attack and instructed them to take additional security precautions to protect their information. Ubiquiti then notified the public in the next filing it made with the SEC. But Krebs intentionally disregarded these facts to target Ubiquiti and increase ad revenue by driving traffic to his website, www.KrebsOnSecurity.com.
In his article titled: “Whistleblower: Ubiquiti Breach “Catastrophic” posted on the 30 March 2021, Brian Krebs said the following:
A security professional at Ubiquiti who helped the company respond to the two-month breach beginning in December 2020 contacted KrebsOnSecurity after raising his concerns with both Ubiquiti’s whistleblower hotline and with European data protection authorities. The source – we’ll call him Adam – spoke on condition of anonymity for fear of retribution by Ubiquiti. ‚
“It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers” Adam wrote in a letter to the European Data Protection Supervisor. “The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.”
Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies.
Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide.
Adam says Ubiquiti’s security team picked up signals in late December 2020 that someone with administrative access had set up several Linux virtual machines that weren’t accounted for. Then they found a backdoor that an intruder had left behind in the system.
Krebs relied on an insider that Krebs verified worked at Ubiquiti, it came to light that Ubiquiti was held hostage by one of its own employees and is likely the same person that Krebs used as his source.
From Krebs report on the charges:
Federal prosecutors say Nickolas Sharp, a senior developer at Ubiquiti, actually caused the “breach” that forced Ubiquiti to disclose a cybersecurity incident in January. They allege that in late December 2020, Sharp applied for a job at another technology company, and then abused his privileged access to Ubiquiti’s systems at Amazon’s AWS cloud service and the company’s GitHub accounts to download large amounts of proprietary data.
Sharp’s indictment doesn’t specify how much data he allegedly downloaded, but it says some of the downloads took hours, and that he cloned approximately 155 Ubiquiti data repositories via multiple downloads over nearly two weeks.
On Dec. 28, other Ubiquiti employees spotted the unusual downloads, which had leveraged internal company credentials and a Surfshark VPN connection to hide the downloader’s true Internet address. Assuming an external attacker had breached its security, Ubiquiti quickly launched an investigation.
But Sharp was a member of the team doing the forensic investigation, the indictment alleges.
“At the time the defendant was part of a team working to assess the scope and damage caused by the incident and remediate its effects, all while concealing his role in committing the incident” wrote prosecutors with the Southern District of New York.
It really feels like Ubiquiti instructed their lawyers to throw allegations against the wall and see what sticks. Many in the tech community have noted that the lawsuit itself is not written very well.
Many believe that this lawsuit is a Strategic Lawsuit Against Public Participation (SLAPP) which often target individuals exercising their right to free speech. Comedian John Oliver did a great piece on SLAPP suits after he himself was hit one after reporting on coal businessman, Bob Murray. The fact that this lawsuit was filed in West-Virginia, a state which has no anti-SLAPP laws is notable.
We will have to wait to see the jury’s verdict but is unlikely that Ubiquiti will emerge victorious out of this battle.
