A 55-year-old man has been sentenced to four years in prison and three years of suspended release after being convicted of installing ‘kill switch’ malicious code on his former employer’s computer network.
The attack impacted thousands of employees globally and cost hundreds of thousands of dollars in losses, as per the US Attorney’s Office, Northen Ohio.
Davis Lu, a Chinese national living in Houston, Ohio, was employed as a software developer from November 2007 to October 2019 for a large multi-national power management company with over 10,000 employees.
In 2018, the company began to go through a period of “corporate realignment” which reduced his responsibilities and system access.
Following this, he introduced malicious code into the system that meant if he was ever removed from Active Directory, all users would be locked out. He also inserted malicious code that would create infinite loops to cause server crashes.
These actions were locked behind a “kill switch” which was set to activate if his account privileges were revoked from the company’s user directory.
Lu made little effort to cover his tracks. The kill switch code was named “IsDLEnabledinAD” – an abbreviation of “Is Davis Lu enabled in Active Directory”.
In September 2019, Lu was finally let go, and the kill switch was activated.
Thousands of employees based all over the world were affected by the malicious activity, which caused “havoc” on company systems, said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.
When asked to hand over his company laptop, Lu deleted all encrypted data and ran a command that hid all his browsing activity.
Law enforcement searched his internet history, which revealed the had been looking up how to escape privilege, cover his tracks, and delete files.
Lu has now been sentenced to four years in prison, with three further years of supervised release. Restitution will be determined at a later date.
“The FBI works relentlessly every day to ensure that cyber actors who deploy malicious code and harm American businesses face the consequences of their actions,” said Assistant Director Brett Leatherman of the FBI’s Cyber Division.
“I am proud of the FBI cyber team’s work which led to this sentencing and hope it sends
a strong message to others who may consider engaging in similar unlawful activities. This case also underscores the importance of identifying insider threats early and highlights the need for proactive engagement with your local FBI field office to mitigate risks and prevent further harm.”
“Insider risks” – security breaches caused by employees or partners, are at an all-time high. According to Cybersecurity Insiders, 83% of organizations reported insider attacks last year.
There is no silver bullet to stopping insider risks. Implementing strong access controls, monitoring user behavior, and implementing security awareness training can all be important steps.
In this particular case, the system admin themselves was the person behind the attack. This is an unusual case of someone with the most trusted access in the company going rogue.
If nothing else, it highlights the importance and responsibility system admins hold within businesses, and how severely companies can be impacted when things go wrong.
Dig Deeper
