Texas man convicted of sabotaging former employer’s computer systems

Davis Lu, a disgruntled 55 year old man from Houston, Texas, has been found guilty of writing and deploying malicious code on his former employer’s network.

According to court documents, the Texas man worked as a software developer for his employer from November 2007 to October 2019.

Due to a corporate restructuring in 2018, his responsibilities and system access were reduced. That’s when Lu decided to sabotage his employer’s computer systems.

In August 2019, the former employee injected malicious code that caused systems to crash and prevent users from logging in. He created a so-called ‘infinite loop’, meaning he designed code to exhaust Java threads by repeatedly creating new threads without proper termination, resulting in server crashes or hangs.

In addition, the man deleted coworker profiles and implemented a ‘kill switch’ that would lock out all users if his credentials in the company’s active directory were disabled. Lu named the kill switch ‘IsDLEnabledinAD’, which is an acronym for ‘Is Davis Lu Enabled in Active Directory’.

The kill switch was automatically activated upon his termination in September 2019 and impacted thousands of company users worldwide.

Furthermore, the former software developer deployed two other malicious codes named ‘Hakai’ and ‘HunShui’, meaning ‘destruction’ in Japanese and ‘sleep’ or ‘lethargy’ in Chinese respectively.

Lastly, the former employee encrypted all data on his laptop when he was ordered to turn in this device. According to the Department of Justice, the man’s internet search history revealed he had researched methods to escalate privileges, hide processes, and rapidly delete files, indicating his intention to obstruct efforts of his co-workers to resolve the system disruptions.

His former employer suffered hundreds of thousands of dollars in damages as a result of his actions.

The jury convicted the man of causing intentional damage to protected computers, for which he faces a maximum penalty of 10 years in prison. The federal court for the Northern District of Ohio has yet to set a sentencing date.