A former software developer for power management company Eaton Corporation who sabotaged the company’s IT systems will now spend four years in prison.
Davis Lu after a six-day trial in March was found guilty of creating malicious code that created “infinite loops” that caused system crashes within Eaton’s environment, deleted employee data and prevented people from logging in. He was sentenced to prison late last week.
Lu also developed a “kill switch” that he could trigger if he was ever fired that would lock out Easton workers from the company’s software. The kill switch was automatically deployed when he was fired in September 2019.
Lu, a Chinese national who was living in Houston, worked for Eaton from 2007 to 2019, and became disgruntled in 2018 when the company – which is based in Beachwood, Ohio – when a corporate reorganization reduced his responsibilities and limiting his access to IT systems. He began writing the malicious code that year, according to prosecutors.
The infinite loop was “designed to exhaust Java threads by repeatedly creating new threads without proper termination and resulting in server crashes or hangs,” Justice Department (DOJ) prosecutors wrote after Lu was convicted.
According to a report compiled by Eaton investigators, the malicious code deployed by Lu resulted in more than $360,000 in losses for the company, which also noted that it took more than a year to remove Lu’s code from the systems.
Damaging Protected Computers
A federal jury in Ohio convicted Lu of causing intentional damage to protected computers, and he faced 10 years in prison. Instead, U.S. District Judge Pamela Barker sent him to prison for four years, followed by three years of supervised release.
“The extreme chaos caused by just one person who used his creative mind and technical talents to thwart his employer’s business operations was not only disruptive – it was criminal,” U.S. Attorney David Toepfer said in a statement after the sentencing.
According to The New York Times, Lu’s attorney, Peter Zeidenberg, said his client was disappointed by the jury verdict in March and continues to say he’s innocent. Lu is “weighing his appeal options,” Zeidenberg said, according to the news organization.
The lawyer reportedly asked for a two-year sentence for Lu. Prosecutors asked for more than five.
Naming the Malware
FBI Special Agent Greg Nelsen said in after the sentencing that “Davis Lu was intent on inflicting widescale damage to his employer with reckless disregard.”
According to prosecutors, Lu named the kill switch he created “IsDLEnabledinAD,” which is short for “Is Davis Lu enabled in Active Directory.”
In addition, he gave names to other malware, including calling one program “Hakai,” a Japanese word for “destruction,” and another “HunShui,” a Chinese word meaning “sleep” or “lethargy.”
They also said that on the day he was told to turn in his company laptop, Lu deleted a range of encrypted data and ran a command aimed at making it impossible to use forensic software to recover the data.
Investigators also noted that his internet search history showed that Lu had studied ways to escalate privileges, hide processes, and rapidly delete files, which they said indicated “an intent to obstruct efforts of his co-workers to resolve the system disruptions.”
