We all, at some point, have fantasized about giving our employers a big middle finger on the way out the door, whether we leave on our own volition or are pushed out. Well, a 55-year-old Texas man allegedly built an automated bird flipper in the form of a kill switch that crashed his company’s systems and locked people out of their accounts when he was fired. Satisfying as that may have been, he now faces up to 10 years in prison, according to the Department of Justice, for setting the trip wire on his way out the door.
Here’s the situation: Houston, Texas resident Davis Lu started working for a company headquartered in Beachwood, Ohio back in November 2007. (The DOJ didn’t identify the firm, but a local report from Cleveland.com indicated that it is power management company Eaton Corporation.) After about 10 years on the job, Eaton underwent a 2018 “corporate realignment,” and Lu had his role downsized, seeing his responsibilities and system access reduced, per the DOJ’s account of the situation.
So, Lu used his newfound free time to build systems of sabotage that would get set off if he were ever let go—which, based on what he had just experienced, probably felt likely to him. That included planting malware that created “infinite loops” that deleted the profile files of his coworkers, blocked login attempts, and crashed the company’s systems. He also built a kill switch that, if activated, “would lock out all users,” according to the Department of Justice.
The kill switch, which Lu named “IsDLEnabledinAD,” was designed to check to make sure Lu’s account was enabled in the company’s Active Directory of employees. Assuming it was, everything was fine. But the day that Lu’s name was removed from active status, the kill switch kicked in—which happened on September 9, 2019.
According to the DOJ’s telling, Lu’s code “impacted thousands of company users globally.” In court, Eaton claimed that Lu had managed to cause the company “hundreds of thousands of dollars in losses,” which frankly would probably be pretty satisfying, though Lu’s defense attorneys claimed that Eaton only suffered about $5,000 in damages, per Cleveland.com.
Unfortunately for Lu, it didn’t take too long for Eaton to trace the attack back to him, as they found the malicious code was being executed from a software developer server that Lu had access to and was being executed on a computer using Lu’s user ID. Lu had also deleted encrypted files from his company-issued laptop on the day he turned it back in, and his internet history apparently contained searches for ways to “escalate privileges, hide processes, and rapidly delete files.”
“Sadly, Davis Lu used his education, experience, and skill to purposely harm and hinder not only his employer and their ability to safely conduct business, but also stifle thousands of users worldwide,” FBI Special Agent in Charge Greg Nelsen said in a statement—which is really like, three-fourths of the way to being a pretty good endorsement of his abilities if Nelsen had left it on his LinkedIn profile instead of issuing it as a statement following his conviction.
Lu faces up to 10 years behind bars for “causing intentional damage to protected computers,” though he plans to appeal the court’s ruling.
