{"id":14668,"date":"2025-08-22T17:15:45","date_gmt":"2025-08-22T17:15:45","guid":{"rendered":"https:\/\/newestek.com\/?p=14668"},"modified":"2025-08-22T17:15:45","modified_gmt":"2025-08-22T17:15:45","slug":"disgruntled-developer-gets-four-year-sentence-for-revenge-attack-on-employers-network","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14668","title":{"rendered":"Disgruntled developer gets four-year sentence for revenge attack on employer\u2019s network"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

A software developer who launched disruptive logic bombs inside his employer\u2019s network as an act of revenge has been sentenced to four years in prison by an Ohio court.<\/p>\n

According to the US Department of Justice, 55 year-old Chinese national Davis Lu was unhappy that a 2018 reorganization by electrical manufacturing company Eaton Corporation had resulted in his demotion from senior developer.<\/p>\n

In response, in 2019 Lu began sabotaging the company\u2019s systems from within using hidden malicious routines. The first, an \u2018infinite loop\u2019, executed on August 4, causing Java VMs to constantly spawn new threads until production servers hung or crashed from resource exhaustion.<\/p>\n

In addition, Lu hid a second attack that polled the company\u2019s Windows Active Directory (AD) database to check whether his account profile was active. If it wasn\u2019t \u2014 a condition met when Lu\u2019s network access and employment were finally suspended on September 9 \u2014 \u201ckill switch\u201d code was automatically executed to delete the profiles of other AD users, locking them out of the network.<\/p>\n

Eventually, logs revealed that the disruption had been executed by Lu\u2019s user ID from a computer located in Kentucky.<\/p>\n

\u201cThe defendant breached his employer\u2019s trust by using his access and technical knowledge to sabotage company networks, wreaking havoc and causing hundreds of thousands of dollars in losses for a US company,\u201d said Matthew R. Galeotti of the Justice Department\u2019s Criminal Division.<\/p>\n

\u201cHowever, the defendant\u2019s technical savvy and subterfuge did not save him from the consequences of his actions,\u201d he added.<\/p>\n

See what I did<\/h2>\n

An odd aspect of the case is that L, appears to have made little effort to conceal evidence of his planning and actions, and almost set out to advertise his involvement out of spite, leading to his being found guilty<\/a> by a jury in March.<\/p>\n

One example is the name he gave the AD kill switch code, \u201cIsDLEnabledinAD,\u201d which abbreviated the phrase \u201cIs Davis Lu enabled in Active Directory?\u201d<\/p>\n

Lu must also have known that one of the first places prosecutors would look for evidence would be his Internet searches. These revealed that he had \u201cresearched methods to escalate privileges, hide processes, and rapidly delete files, indicating an intent to obstruct efforts of his co-workers to resolve the system disruptions,\u201d the Justice Department said.<\/p>\n

By the time Lu was asked to hand over his company laptop in September 2019, he must have realized the game was up. His response was to delete the machine\u2019s encrypted volumes while attempting to delete two projects plus Linux directories. According to Lu\u2019s court indictment<\/a>, he eventually admitted responsibility for the attack on October 7, 2019.<\/p>\n

Lone wolves<\/h2>\n

It\u2019s the attack every enterprise fears even more than hackers or a data breach: an insider with skills and knowledge who decides to go rogue.<\/p>\n

While such attacks remain exceptions, the ones that come to public attention in court cases always make for stressful reading. The challenge is that developers and admins must have a degree of privileges to do their jobs. This makes it inherently difficult to distinguish legitimate access with a lone wolf on the rampage before damage is done.<\/p>\n

The case underlines the need to limit admin privileges and use logging oversight to monitor access for suspicious trends. If something odd is detected, someone needs to be on hand to step in as quickly as possible. The simple presence of these controls can also act as a deterrent.<\/p>\n

Things have changed hugely in the last decade, however. Take the case of Terry Childs, the San Francisco network admin who refused to hand over admin passwords<\/a> to the City\u2019s FiberWAN system, denying the organization admin control for 12 days in 2008. His justification? He was the only one who knew how to administer the system correctly.<\/p>\n

While some in the sysadmin world expressed sympathy for Childs, the idea that one employee should be given sole access to any system would be kicked out of court very quickly today. Found guilty in 2010, Childs was sentenced to four years in prison and ordered to pay $1.5 million restitution.<\/p>\n

Nevertheless, examples of abuse still crop up. A brazen recent example is the case of Nickolas Sharp<\/a>, a well-paid admin for Ubiquiti Networks, who in 2020 stole data from his company, tried to implicate other employees for the theft, and then went on to extort the company for $2 million to return the data \u2014 all while supposedly conducting attack remediation.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

A software developer who launched disruptive logic bombs inside his employer\u2019s network as an act of revenge has been sentenced to four years in prison by an Ohio court. According to the US Department of Justice, 55 year-old Chinese national Davis Lu was unhappy that a 2018 reorganization by electrical manufacturing company Eaton Corporation had resulted in his demotion from senior developer. In response, in… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14668","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14668","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14668"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14668\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14668"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14668"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14668"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}