Full Report
A software developer has been found guilty of sabotaging his ex-employer's systems by running custom malware and installing a "kill switch" after being demoted at the company. [...]
Analysis Summary
# Incident Report: Insider Sabotage via Custom Kill Switch Malware
## Executive Summary
A long-time software developer, following a demotion, intentionally sabotaged his former employer's computer systems using custom malware designed to exhaust server resources and facilitate a complete lockout upon his termination. The incident resulted in significant system crashes, loss of functionality for thousands of employees, and financial damages estimated in the hundreds of thousands of dollars. The developer was subsequently found guilty by a jury of intentional damage to protected computers.
## Incident Details
- **Discovery Date:** Not explicitly stated; implied detection leading up to termination and subsequent disruption.
- **Incident Date:** Termination / Kill Switch activation occurred on September 9, 2019. Malicious code was installed prior.
- **Affected Organization:** Eaton Corp (reported)
- **Sector:** Manufacturing/Power Management Solutions
- **Geography:** Ohio (Employer Location)
## Timeline of Events
### Initial Access
- **Date/Time:** Installation occurred sometime between the 2018 restructuring and October 2019. Active access was maintained via his developer credentials.
- **Vector:** Authorized access as an employee/developer utilizing his privileged position.
- **Details:** Malicious code, including components designed to run in an "infinite loop" and the titular "kill switch," was implanted into the production environment.
### Lateral Movement
- **Details:** The individual targeted core system resources (production server) and user profiles, suggesting movement or execution across shared infrastructure resources. Research into privilege elevation suggests intent to maximize impact across the network.
### Data Exfiltration/Impact
- **Details:** The primary impact was system sabotage: infinite loops exhausted Java threads, causing production server crashes and preventing user logins. Additionally, the developer **deleted encrypted data** on the day of his termination.
### Detection & Response
- **How it was discovered:** The immediate impact was evident when the "kill switch" code, named "IsDLEnabledinAD" (Is Davis Lu enabled in Active Directory), triggered upon his account being disabled on September 9, 2019, locking out thousands of employees.
- **Response actions taken:** Immediate investigation following mandatory system lockout. The company likely had to engage in extensive forensic recovery and remediation due to the system-level sabotage.
## Attack Methodology
- **Initial Access:** Authorized (Insider Threat).
- **Persistence:** Custom malware installed on production servers designed to execute continuously.
- **Privilege Escalation:** Internet research included "ways to elevate privileges," though the attack primarily leveraged pre-existing authorized access and placement of malware.
- **Defense Evasion:** Not explicitly detailed, though the use of custom code implies awareness of security controls.
- **Credential Access:** Not explicitly used for unauthorized access, but used his privileged account status.
- **Discovery:** Defendant researched "how to quickly delete files" and "hide processes."
- **Lateral Movement:** Targeting of shared production server resources and deletion of coworker user profiles.
- **Collection:** Deletion of encrypted data.
- **Exfiltration:** Not the primary goal, though data deletion occurred.
- **Impact:** Causing intentional damage to protected computers via resource exhaustion (infinite loops) and implementing a network-wide lockout mechanism (kill switch).
## Impact Assessment
- **Financial:** Cost the company hundreds of thousands of dollars.
- **Data Breach:** Encrypted data was deleted; specific volume/content unknown.
- **Operational:** Significant operational disruption, leading to thousands of employees losing system access following the termination event.
- **Reputational:** Not detailed, but a successful insider attack involving sabotage often results in negative press regarding internal controls.
## Indicators of Compromise
- **Network indicators:** N/A (Specific IoCs not disclosed in summary; focus on behavioral).
- **File indicators:** Custom malware capable of creating infinite Java threads.
- **Behavioral indicators:** System disruption corresponding precisely with the disabling of a specific user account ('IsDLEnabledinAD' trigger). Research into privilege escalation and rapid file deletion.
## Response Actions
- **Containment:** Disabling the attacker's Active Directory account (which inadvertently triggered the final phase of the attack).
- **Eradication:** Efforts required to terminate infinite loops, restore crashed production servers, recover deleted profiles, and remove persistent custom code. Legal action led to conviction.
- **Recovery:** Restoring operational capability for thousands of affected employees.
## Lessons Learned
- A deep-seated, privileged insider can utilize authorized access to deploy highly destructive, timed malware.
- The practice of building *account-dependent* dependencies (like the kill switch tied to the developer's AD status) creates catastrophic failure points if the relationship sours.
- Employee monitoring and reviewing privileged user activity (including internet searches related to evasion techniques) is critical, even for long-tenured staff.
## Recommendations
- Implement robust least-privilege controls, even for senior developers handling production code, ensuring access is revoked immediately upon termination notice.
- Audit custom code deployed into production environments for logic bombs, resource exhaustion routines, or account-dependent kill switches.
- Establish automated account de-provisioning procedures that are *decoupled* from the exact moment of physical departure or notification, focusing instead on pre-emptive access reduction upon performance issues or restructuring events.
- Enhance monitoring for unusual research patterns (e.g., searching for privilege escalation or rapid file deletion techniques) by current employees.