Developer sabotaged ex-employer with kill switch that activated when he was let go
(2025/03/08)
- Reference: 1741396180
- News link: https://www.theregister.co.uk/2025/03/08/developer_server_kill_switch/
- Source link:
A federal jury in Cleveland has found a senior software developer guilty of sabotaging his employer's systems – and he's now facing a potential ten years behind bars.
Davis Lu, 55, of Houston, Texas, was a seasoned coder employed by power-management biz Eaton Corporation between November 2007 to October 2019. In his last year with the outfit, there was a corporate restructuring and he was demoted, both in terms of job responsibilities and server access.
On August 9, 2019 Lu began introducing home-designed malware onto at least one of his employer's production systems. He wrote a Java program that would, in an infinite loop, create more and more non-terminating threads that would consume more and more resources until the computer running the code crashed and prevented people from logging in and using the machine.
[1]
According to the prosecution's [2]filings [PDF] to an Ohio federal court, investigators subsequently found the source code for this program on an internal development server in Kentucky, and that Lu's user account had been used to execute the malware on the production box. Lu was also the only member of his team who had access privileges for that dev machine.
[3]
[4]
It was further claimed Lu wrote code on that development box that would trash other users' files.
[5]Ex-school IT admin binned student, staff accounts and trashed phone system
[6]Guy is booted out of IT amid outsourcing, wipes databases, deletes emails... goes straight to jail for two-plus years
[7]Rogue IT admin goes off the rails, shuts down Canadian train switches
[8]Holy smokes! Ex-IT admin gets two years prison for trashing Army chaplains' servers
Then, it's said, Lu created what [9]the Feds described as a kill switch – more like a dead man's switch, perhaps – that would lock every employee out of their accounts if his credentials were ever revoked, and named the code IsDLEnabledinAD, as in "Is Davis Lu enabled in Active Directory."
When his position was eventually terminated on September 9, 2019, the kill switch was activated and thousands of employees around the world were locked out of the network, causing hundreds of thousands of dollars of damage, it is said.
Lu was creative in naming his malicious code. He dubbed one rogue application Hakai, the Japanese word for destruction. Another he dubbed HunShui, from the Chinese word for sleep.
[10]
A subsequent investigation found that on the day he had to hand back his corporate laptop, he had deleted a chunk of encrypted data, and had attempted to wipe its Linux OS directories and two code projects. A review of his search history also showed requests for advice on escalating privileges, deleting data and folders, and hiding processes.
On October 7, 2019, Lu admitted to federal investigators he was behind the computer problems at his previous employer, but still decided to fight his case by pleading not guilty to a charge of intentionally damaging a protected computer. Unfortunately for him, the jury wasn't impressed, finding him guilty today, and he faces sentencing at a later date.
We've asked Eaton Corp for any comment on Lu's conviction. ®
Get our [11]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z8vO9cygvuGLPPoY0qipoAAAAhM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://regmedia.co.uk/2025/03/07/lu.pdf
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8vO9cygvuGLPPoY0qipoAAAAhM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z8vO9cygvuGLPPoY0qipoAAAAhM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2023/12/01/it_admin_guilty/
[6] https://www.theregister.com/2019/07/09/it_admin_deletes_files_jailed/
[7] https://www.theregister.com/2018/02/14/rogue_it_admin_canadian_railway_switches/
[8] https://www.theregister.com/2019/09/30/army_chaplain_admin_jailed/
[9] https://www.justice.gov/opa/pr/texas-man-convicted-sabotaging-his-employers-computer-systems-and-deleting-data
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8vO9cygvuGLPPoY0qipoAAAAhM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/
Davis Lu, 55, of Houston, Texas, was a seasoned coder employed by power-management biz Eaton Corporation between November 2007 to October 2019. In his last year with the outfit, there was a corporate restructuring and he was demoted, both in terms of job responsibilities and server access.
On August 9, 2019 Lu began introducing home-designed malware onto at least one of his employer's production systems. He wrote a Java program that would, in an infinite loop, create more and more non-terminating threads that would consume more and more resources until the computer running the code crashed and prevented people from logging in and using the machine.
[1]
According to the prosecution's [2]filings [PDF] to an Ohio federal court, investigators subsequently found the source code for this program on an internal development server in Kentucky, and that Lu's user account had been used to execute the malware on the production box. Lu was also the only member of his team who had access privileges for that dev machine.
[3]
[4]
It was further claimed Lu wrote code on that development box that would trash other users' files.
[5]Ex-school IT admin binned student, staff accounts and trashed phone system
[6]Guy is booted out of IT amid outsourcing, wipes databases, deletes emails... goes straight to jail for two-plus years
[7]Rogue IT admin goes off the rails, shuts down Canadian train switches
[8]Holy smokes! Ex-IT admin gets two years prison for trashing Army chaplains' servers
Then, it's said, Lu created what [9]the Feds described as a kill switch – more like a dead man's switch, perhaps – that would lock every employee out of their accounts if his credentials were ever revoked, and named the code IsDLEnabledinAD, as in "Is Davis Lu enabled in Active Directory."
When his position was eventually terminated on September 9, 2019, the kill switch was activated and thousands of employees around the world were locked out of the network, causing hundreds of thousands of dollars of damage, it is said.
Lu was creative in naming his malicious code. He dubbed one rogue application Hakai, the Japanese word for destruction. Another he dubbed HunShui, from the Chinese word for sleep.
[10]
A subsequent investigation found that on the day he had to hand back his corporate laptop, he had deleted a chunk of encrypted data, and had attempted to wipe its Linux OS directories and two code projects. A review of his search history also showed requests for advice on escalating privileges, deleting data and folders, and hiding processes.
On October 7, 2019, Lu admitted to federal investigators he was behind the computer problems at his previous employer, but still decided to fight his case by pleading not guilty to a charge of intentionally damaging a protected computer. Unfortunately for him, the jury wasn't impressed, finding him guilty today, and he faces sentencing at a later date.
We've asked Eaton Corp for any comment on Lu's conviction. ®
Get our [11]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z8vO9cygvuGLPPoY0qipoAAAAhM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://regmedia.co.uk/2025/03/07/lu.pdf
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8vO9cygvuGLPPoY0qipoAAAAhM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z8vO9cygvuGLPPoY0qipoAAAAhM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2023/12/01/it_admin_guilty/
[6] https://www.theregister.com/2019/07/09/it_admin_deletes_files_jailed/
[7] https://www.theregister.com/2018/02/14/rogue_it_admin_canadian_railway_switches/
[8] https://www.theregister.com/2019/09/30/army_chaplain_admin_jailed/
[9] https://www.justice.gov/opa/pr/texas-man-convicted-sabotaging-his-employers-computer-systems-and-deleting-data
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bootnotes&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z8vO9cygvuGLPPoY0qipoAAAAhM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/
Re: Not a very bright boy...
Bebu sa Ware
10 years in the big house = 1 year for the offence, 9 years for stupidity.
If stupidity were Ebola most of World's problems would (de)cease within a week.
Database slowly drifted away from reality
Anonymous Coward
À national customer support system that I set up and managed received weekly updates from the big multinational corporate system that had to be massaged with some fancy SQL scripts. Every week, there were exceptions that required manual intervention.
Before an upcoming vacation, I was asked to brief a non technical employee on how to run the updates. The poor girl had never heard of SQL - and some of the commands were close to a page long.
Shortly after I was downsized and the database began a slow deterioration. It wouldn't surprise me if the phone people increasingly were dealing with issues on newly acquired customer machines that weren't in the system.
Multinational corporate some years and tens of megabucks later finally brought in a customer support system that was obsolete the day it finally was working.
Not a very bright boy...
There are simply so many ways to indirectly hork a system with a tiny, tiny forensic footprint, that one wonders at the sheer stupidity here described. He signed the thing like Picasso. What exactly did he think was going to happen? Did he fantasize that the investigators were going to be so impressed with the code, they would call him up to try to rehire him? What an ego on this guy.