A software developer who launched disruptive logic bombs inside his employer’s network as an act of revenge has been sentenced to four years in prison by an Ohio court.
According to the US Department of Justice, 55 year-old Chinese national Davis Lu was unhappy that a 2018 reorganization by electrical manufacturing company Eaton Corporation had resulted in his demotion from senior developer.
In response, in 2019 Lu began sabotaging the company’s systems from within using hidden malicious routines. The first, an ‘infinite loop’, executed on August 4, causing Java VMs to constantly spawn new threads until production servers hung or crashed from resource exhaustion.
In addition, Lu hid a second attack that polled the company’s Windows Active Directory (AD) database to check whether his account profile was active. If it wasn’t — a condition met when Lu’s network access and employment were finally suspended on September 9 — “kill switch” code was automatically executed to delete the profiles of other AD users, locking them out of the network.
Eventually, logs revealed that the disruption had been executed by Lu’s user ID from a computer located in Kentucky.
“The defendant breached his employer’s trust by using his access and technical knowledge to sabotage company networks, wreaking havoc and causing hundreds of thousands of dollars in losses for a US company,” said Matthew R. Galeotti of the Justice Department’s Criminal Division.
“However, the defendant’s technical savvy and subterfuge did not save him from the consequences of his actions,” he added.
See what I did
An odd aspect of the case is that L, appears to have made little effort to conceal evidence of his planning and actions, and almost set out to advertise his involvement out of spite, leading to his being found guilty by a jury in March.
One example is the name he gave the AD kill switch code, “IsDLEnabledinAD,” which abbreviated the phrase “Is Davis Lu enabled in Active Directory?”
Lu must also have known that one of the first places prosecutors would look for evidence would be his Internet searches. These revealed that he had “researched methods to escalate privileges, hide processes, and rapidly delete files, indicating an intent to obstruct efforts of his co-workers to resolve the system disruptions,” the Justice Department said.
By the time Lu was asked to hand over his company laptop in September 2019, he must have realized the game was up. His response was to delete the machine’s encrypted volumes while attempting to delete two projects plus Linux directories. According to Lu’s court indictment, he eventually admitted responsibility for the attack on October 7, 2019.
Lone wolves
It’s the attack every enterprise fears even more than hackers or a data breach: an insider with skills and knowledge who decides to go rogue.
While such attacks remain exceptions, the ones that come to public attention in court cases always make for stressful reading. The challenge is that developers and admins must have a degree of privileges to do their jobs. This makes it inherently difficult to distinguish legitimate access with a lone wolf on the rampage before damage is done.
The case underlines the need to limit admin privileges and use logging oversight to monitor access for suspicious trends. If something odd is detected, someone needs to be on hand to step in as quickly as possible. The simple presence of these controls can also act as a deterrent.
Things have changed hugely in the last decade, however. Take the case of Terry Childs, the San Francisco network admin who refused to hand over admin passwords to the City’s FiberWAN system, denying the organization admin control for 12 days in 2008. His justification? He was the only one who knew how to administer the system correctly.
While some in the sysadmin world expressed sympathy for Childs, the idea that one employee should be given sole access to any system would be kicked out of court very quickly today. Found guilty in 2010, Childs was sentenced to four years in prison and ordered to pay $1.5 million restitution.
Nevertheless, examples of abuse still crop up. A brazen recent example is the case of Nickolas Sharp, a well-paid admin for Ubiquiti Networks, who in 2020 stole data from his company, tried to implicate other employees for the theft, and then went on to extort the company for $2 million to return the data — all while supposedly conducting attack remediation.
No Responses