Article Details

Developer jailed for taking down employer's network with kill switch malware. Pro tip: When taking revenge, don't use your real name. A US court sentenced a former developer at power management biz Eaton to four years in prison after he installed malware on the company’s servers. Davis Lu, 55, spent a dozen years at Eaton and rose to become a senior developer of emerging technology, before the company demoted him after restructuring. Lu unwisely responded to that setback by installing a "kill switch" that would activate if the company revoked his network access. The package was a Java program that generated increasing numbers of non-terminating threads in an infinite loop that would eventually use enough resources to crash the server. "The defendant breached his employer’s trust by using his access and technical knowledge to sabotage company networks, wreaking havoc and causing hundreds of thousands of dollars in losses for a US company," said acting assistant Attorney General Matthew Galeotti of the Justice Department’s Criminal Division in an email. "However, the defendant’s technical savvy and subterfuge did not save him from the consequences of his actions." Not that he had much technical savvy. Lu labeled his malware IsDLEnabledinAD, for "Is Davis Lu enabled in Active Directory." Furthermore, after developing the software he uploaded it using his corporate credentials – hardly clean OPSEC, to quote the US Defense Secretary. Eaton terminated Lu’s position on September 9, 2019, and cut off his network access, which caused the Java program to fire up, overloading the network, preventing login access for thousands of Eaton's global staff, and deleting some corporate data. But when it came time for Lu to turn in his corporate laptop, it turned out he'd been using it to execute his plan. His search history showed he'd been looking up how to delete data, escalate privileges, and conceal process trails. He also deleted a large chunk of encrypted data. Less than a month after his malware ran, federal agents arrested Lu. He admitted to his crime but still opted for a jury trial. That didn't work out so well for him, and a federal jury in Cleveland found him guilty of intentionally damaging a protected computer. On Thursday he received a four-year sentence and an additional three years of supervised release. "I am proud of the FBI cyber team’s work which led to today’s sentencing and hope it sends a strong message to others who may consider engaging in similar unlawful activities," said assistant director Brett Leatherman of the FBI’s Cyber Division. "This case also underscores the importance of identifying insider threats early." As The Register has pointed out time and time again, insiders can cause the most damage with ease. All the fancy firewalls, AI tools, and malware monitoring services won't protect you if the person running them goes rogue. Eaton had no comment on the sentence.