Davis Lu, a 55-year-old software developer from Houston, was convicted for sabotaging the computer systems of his former employer. Lu had worked at Eaton Corp, a global power management company, from November 2007 until his termination in October 2019. The company provides electrical, hydraulic, and mechanical solutions to a wide range of industries. Lu’s criminal activities began after a corporate restructuring in 2018, which resulted in his demotion and the loss of his job responsibilities. This professional setback led him to retaliate by launching an extensive cyber attack on the company’s systems.
Lu deployed custom malware that created infinite loops on a production server, causing the system to crash and locking users out. The infinite loops consumed system resources, preventing users from logging into their accounts. Additionally, Lu deleted several coworkers’ user profiles and installed a “kill switch” in the company’s Windows Active Directory. This kill switch was programmed to lock out all users if Lu’s account was ever disabled, ensuring that the system would be rendered inaccessible to employees. The kill switch was triggered in September 2019 when Lu was terminated, causing widespread disruption as thousands of workers lost access to critical systems.
The sabotage continued on the day Lu was asked to return his company-issued laptop. Lu was found to have deleted encrypted data, further hindering the company’s ability to recover from the attack. Investigations revealed that Lu had been researching methods to elevate privileges, hide processes, and quickly delete files in preparation for his malicious activities. These internet search queries highlighted his intent to cause as much damage as possible. Lu’s actions disrupted Eaton’s daily operations and led to financial losses, costing the company hundreds of thousands of dollars in damages.
Lu’s actions were deemed a federal offense under U.S. law, and he was convicted of intentionally damaging protected computers. The charge carries a maximum penalty of up to 10 years in prison. Lu’s case demonstrates the potential dangers of internal sabotage by disgruntled employees and serves as a reminder to organizations of the need for strong security measures. A sentencing date for Lu has not yet been set, but his conviction marks the culmination of a significant legal case in the realm of cybersecurity.
Reference:
