A senior software developer, Davis Lu, has been found guilty by a federal jury in Cleveland for sabotaging his employer’s systems, potentially leading to a ten-year prison sentence. Lu, aged 55 and hailing from Houston, Texas, worked for power-management company Eaton Corporation from November 2007 to October 2019. In his final year at the company, he was demoted due to corporate restructuring, resulting in reduced job responsibilities and server access.
The incident unfolded on August 9, 2019, when Lu began deploying a custom-designed malware onto one of Eaton Corporation’s production systems. He crafted a Java program that generated an endless loop of non-terminating threads, progressively consuming more resources until the system crashed, preventing users from logging in and utilizing the machine. Investigations revealed that the source code for this malicious program was discovered on an internal development server in Kentucky, traced back to Lu’s user account, the sole one with access privileges for that server.
Furthermore, Lu was accused of writing code on the development server to delete other users’ files, demonstrating a malicious intent towards his coworkers. He also implemented what authorities described as a kill switch, designed to lock out all employees from their accounts if his credentials were revoked. The code, named IsDLEnabledinAD, a reference to Lu’s own Active Directory status, was activated when his employment was terminated on September 9, 2019, resulting in widespread network disruptions and significant financial losses for the company.
In a display of creative malevolence, Lu named his rogue applications with destructive connotations, such as Hakai (Japanese for destruction) and HunShui (Chinese for sleep). Additionally, he attempted to erase encrypted data and wipe Linux OS directories and code projects from his company-issued laptop on his last day, all while seeking advice on escalating privileges, data deletion, and process concealment in his internet search history.
Despite admitting to federal investigators on October 7, 2019, that he was responsible for the cyber disruptions at Eaton Corporation, Lu entered a plea of not guilty to intentionally damaging a protected computer. However, the jury ultimately found him guilty, paving the way for a future sentencing hearing. Eaton Corp has yet to provide a statement regarding Lu’s conviction.
Lu’s actions highlight the potentially devastating consequences of insider threats within organizations and serve as a cautionary tale for businesses to enhance their cybersecurity measures to prevent such incidents. The case serves as a stark reminder of the importance of vigilance and proactive defenses against internal security breaches.