Article Details

Developer sabotaged ex-employer with kill switch that activated when he was let go. IsDavisLuEnabledInActiveDirectory? Not any more. IsDavisLuGuilty? Yes. IsDavisLuFacingJail? Also yes. A federal jury in Cleveland has found a senior software developer guilty of sabotaging his employer's systems – and he's now facing a potential ten years behind bars. Davis Lu, 55, of Houston, Texas, was a seasoned coder employed by an unnamed company between November 2007 to October 2019. In his last year with the biz, there was a corporate restructuring and he was demoted, both in terms of job responsibilities and server access. On August 9, 2019 Lu began introducing home-designed malware onto at least one of his employer's production systems. He wrote a Java program that would, in an infinite loop, create more and more non-terminating threads that would consume more and more resources until the computer running the code crashed and prevented people from logging in and using the machine. According to the prosecution's filings [PDF] to an Ohio federal court, investigators subsequently found the source code for this program on an internal development server in Kentucky, and that Lu's user account had been used to execute the malware on the production box. Lu was also the only member of his team who had access privileges for that dev machine. It was further claimed Lu wrote code on that development box that would trash other users' files. Then, it's said, Lu created what the Feds described as a kill switch – more like a dead man's switch, perhaps – that would lock every employee out of their accounts if his credentials were ever revoked, and named the code IsDLEnabledinAD, as in "Is Davis Lu enabled in Active Directory." When his position was eventually terminated on September 9, 2019, the kill switch was activated and thousands of employees around the world were locked out of the network, causing hundreds of thousands of dollars of damage, it is said. Lu was creative in naming his malicious code. He dubbed one rogue application Hakai, the Japanese word for destruction. Another he dubbed HunShui, from the Chinese word for sleep. A subsequent investigation found that on the day he had to hand back his corporate laptop, he had deleted a chunk of encrypted data, and had attempted to wipe its Linux OS directories and two code projects. A review of his search history also showed requests for advice on escalating privileges, deleting data and folders, and hiding processes. On October 7, 2019, Lu admitted to federal investigators he was behind the computer problems at his previous employer, but still decided to fight his case by pleading not guilty to a charge of intentionally damaging a protected computer. Unfortunately for him, the jury wasn't impressed, finding him guilty today, and he faces sentencing at a later date.