A developer created a “shutdown switch” that was activated upon being fired: Convicted of criminal sabotage.
Everyone, at some point, has fantasized about giving their employers a grand farewell when walking out the door, whether by choice or because they are forced to leave. Well, a 55-year-old man from Texas allegedly created an automated way to do just that: a shutdown switch that blocked his company’s systems and left his colleagues locked out of their accounts when he was fired. As satisfying as that may seem, he now faces up to 10 years in prison in the U.S. for leaving the “trap switch” activated before leaving.
The case of Davis Lu
The situation is as follows: Davis Lu, a resident of Houston, Texas, began working for a company based in Beachwood, Ohio, in November 2007. (The Department of Justice did not identify the company, but indicated that it is Eaton Corporation, a power management company). After about 10 years in the position, Eaton carried out a “corporate reorganization” in 2018, which reduced Lu’s role, limiting his responsibilities and access to the systems.
Lu took advantage of his newfound free time to create sabotage systems that would activate in case he was fired, which, based on his recent experience, he probably felt was a real possibility. This included installing malware that created “infinite loops” to delete his colleagues’ profile files, block login attempts, and cause system failures. Additionally, he developed a shutdown switch that, if activated, would “block all users,” according to the Department of Justice.
How the “shutdown switch” worked
The switch, which Lu named “IsDLEnabledinAD,” was designed to check if his account was still enabled in the company’s Active Directory of employees. As long as his account was active, everything would work normally. But on the day his name was removed from the system, the switch would activate, which happened on September 9, 2019.
According to the DOJ, Lu’s code “affected thousands of company users worldwide.” In court, Eaton claimed that Lu managed to cause “losses of hundreds of thousands of dollars” to the company, which, frankly, could seem satisfying to some. However, Lu’s defense attorneys argued that the actual damages amounted to only about $5,000.
The investigation and verdict
Unfortunately for Lu, it didn’t take Eaton long to trace the attack back to him, as they found that the malicious code was running from a software development server that Lu had access to and on a computer using his user ID. Additionally, on the same day he turned in his company-issued laptop, encrypted files were deleted, and his internet history contained searches on “escalating privileges, hiding processes, and quickly deleting files.”
“Unfortunately, Davis Lu used his education, experience, and skills to deliberately harm and impede not only his employer and its ability to operate securely, but also thousands of users worldwide,” said Greg Nelsen, FBI Special Agent in Charge. This statement might have been a good endorsement of his skills if it had appeared on his LinkedIn profile, instead of being part of a statement after his conviction.
Lu faces up to 10 years in prison for “intentionally causing damage to protected computers,” although he plans to appeal the court’s ruling.
