Developer Guilty of Using Kill Switch to Sabotage Employer's Systems
Summary:
Former software developer Davis Lu, 55, of Houston, was convicted of sabotaging Eaton Corporation’s computer systems after losing responsibilities following a corporate restructuring in 2018. Lu, who worked at the Ohio-based power management company from November 2007 to October 2019, retaliated by deploying malicious code that severely disrupted the company’s operations. His sabotage included embedding infinite loops in the system that continuously created new Java threads without termination, exhausting server resources and causing system crashes. These attacks prevented employees from logging in and accessing critical business applications. Additionally, Lu deleted coworkers' Active Directory profiles, further locking them out of the company’s systems.
One of the most damaging actions Lu took was installing a kill switch, programmed under the name “IsDLEnabledinAD”, which stood for “Is Davis Lu enabled in Active Directory.” This code was designed to automatically lock out all employees if their account was ever disabled. When Lu was terminated on September 9, 2019, the kill switch activated, cutting off system access for thousands of employees and disrupting company operations. To further conceal his actions, Lu deleted encrypted data from his company laptop before returning it. Investigators later found that he had conducted internet searches on privilege escalation techniques, process hiding, and rapid file deletion, indicating that he had carefully planned the attack.
Security Officer Comments:
As a result of Lu’s sabotage, Eaton Corporation suffered hundreds of thousands of dollars in damages due to the system disruptions. The U.S. Department of Justice charged him with intentionally damaging protected computers, a federal offense carrying a maximum sentence of 10 years in prison. A jury found Lu guilty, though his sentencing date has not yet been set.
Suggested Corrections:
Link(s):
https://www.bleepingcomputer.com/ne...ng-kill-switch-to-sabotage-employers-systems/
https://www.cleveland.com/court-jus...-of-sabotaging-companys-computer-systems.html
Former software developer Davis Lu, 55, of Houston, was convicted of sabotaging Eaton Corporation’s computer systems after losing responsibilities following a corporate restructuring in 2018. Lu, who worked at the Ohio-based power management company from November 2007 to October 2019, retaliated by deploying malicious code that severely disrupted the company’s operations. His sabotage included embedding infinite loops in the system that continuously created new Java threads without termination, exhausting server resources and causing system crashes. These attacks prevented employees from logging in and accessing critical business applications. Additionally, Lu deleted coworkers' Active Directory profiles, further locking them out of the company’s systems.
One of the most damaging actions Lu took was installing a kill switch, programmed under the name “IsDLEnabledinAD”, which stood for “Is Davis Lu enabled in Active Directory.” This code was designed to automatically lock out all employees if their account was ever disabled. When Lu was terminated on September 9, 2019, the kill switch activated, cutting off system access for thousands of employees and disrupting company operations. To further conceal his actions, Lu deleted encrypted data from his company laptop before returning it. Investigators later found that he had conducted internet searches on privilege escalation techniques, process hiding, and rapid file deletion, indicating that he had carefully planned the attack.
Security Officer Comments:
As a result of Lu’s sabotage, Eaton Corporation suffered hundreds of thousands of dollars in damages due to the system disruptions. The U.S. Department of Justice charged him with intentionally damaging protected computers, a federal offense carrying a maximum sentence of 10 years in prison. A jury found Lu guilty, though his sentencing date has not yet been set.
Suggested Corrections:
- Implement access controls: Ensure that only authorized users have access to sensitive systems and data, and limit access to only the resources that are necessary for an individual's job duties.
- Conduct background checks: Perform thorough background checks on employees, contractors, and other insiders who will have access to sensitive systems and data.
- Implement security training: Provide security awareness training to all employees, contractors, and other insiders to help them understand the importance of security and how to identify and prevent potential threats.
- Monitor system and network activity: Regularly monitor systems and networks for unusual or suspicious activity, and alert appropriate personnel when potential threats are detected.
- Implement incident response plans: Develop and implement incident response plans to ensure that appropriate steps are taken in the event of a security breach or other incident.
- Review and update policies and procedures: Regularly review and update policies and procedures related to security and insider threats, and ensure that all employees, contractors, and other insiders are aware of and follow these policies and procedures.
- Use multi-factor authentication: Implement multi-factor authentication to help ensure that only authorized users are able to access sensitive systems and data.
Link(s):
https://www.bleepingcomputer.com/ne...ng-kill-switch-to-sabotage-employers-systems/
https://www.cleveland.com/court-jus...-of-sabotaging-companys-computer-systems.html