Full Report
Software developer Davis Lu cost his employer hundreds of thousands after deploying malware that caused crashes and failed logins
Analysis Summary
# Incident Report: Developer Sabotage via Deployed "Kill Switch" Malware
## Executive Summary
A disgruntled former employee of Eaton, a power management firm, orchestrated a sabotage attack resulting in significant operational disruption by deploying pre-written malware upon termination. The attack specifically targeted the company's IT infrastructure using a self-executing "kill switch" that locked out thousands of global users and caused server crashes. The incident was discovered following the employee's departure, leading to a lengthy remediation effort and eventual conviction of the perpetrator.
## Incident Details
- Discovery Date: September 9, 2019 (Upon termination and immediate lockout)
- Incident Date: August/September 2019 (Malware deployment likely in August, activation on September 9, 2019)
- Affected Organization: Eaton (Ohio-headquartered power management firm)
- Sector: Power Management/Manufacturing
- Geography: Global (Eaton has global users affected)
## Timeline of Events
### Initial Access
- Date/Time: Prior to termination in September 2019 (Developer was employed from 2007-2019)
- Vector: Insider Threat / Malicious Insider (Authorized User with elevated access)
- Details: Davis Lu, a developer whose role was scaled down in 2018, created and deployed malware targeting the company's systems while still employed.
### Lateral Movement
- Details: Not explicitly detailed, but the resulting impact affected "thousands of global users" and involved actions targeting Active Directory and file servers, suggesting network-wide impact.
### Data Exfiltration/Impact
- Date/Time: Activation on September 9, 2019.
- Impact: Causes crashes, blocked logins for thousands of global users, infinite loops leading to server crashes, and deletion of colleague profile files.
### Detection & Response
- Date/Time: Post-September 9, 2019.
- Detection: Immediate lockout and system instability upon termination triggered detection. Evidence was later gathered through forensic analysis of the developer's company laptop.
- Response Actions: Remediation efforts undertaken by Eaton staff to counter the malicious code. Investigation led to the developer's conviction based on evidence like internet search history and deleted data recovery.
## Attack Methodology
- Initial Access: Insider Threat (Authorized employee with existing network access).
- Persistence: Achieved via pre-written malware, specifically the "IsDLEnabledinAD" (Is Davis Lu enabled in Active Directory) code, which triggered automatically upon termination.
- Privilege Escalation: The developer had researched and likely utilized elevated privileges to deploy system-level destruction tools. Searches indicated research into how to escalate privileges.
- Defense Evasion: The developer attempted to hide actions by deleting encrypted data from the company laptop before its return.
- Credential Access: Not explicitly detailed, but access to deploy system-level shutdown code implies high-level account access.
- Discovery: Reconnaissance included researching how to hide processes and rapidly delete files.
- Lateral Movement: Implied by the scope of the impact (locking out "thousands of global users").
- Collection: Deletion of colleague profile files suggests targeted destruction of peer resources.
- Exfiltration: Not explicitly mentioned as data theft, but targeted file deletion occurred.
- Impact: Denial of Service (DoS) via infinite loops and administrative lockout via the kill switch mechanism.
## Impact Assessment
- Financial: Hundreds of thousands of dollars in losses claimed by the employer.
- Data Breach: Profile files related to colleagues were deleted; general client data exfiltration was not the primary focus.
- Operational: Widespread disruption due to login blocks for thousands of global users and server crashes.
- Reputational: Not explicitly detailed, but the incident resulted in criminal conviction.
## Indicators of Compromise
- Network Indicators: N/A (Specific IPs/domains are not detailed).
- File Indicators: Code named “IsDLEnabledinAD,” “Hakai” (destruction), and “HunShui” (sleep).
- Behavioral Indicators: Code designed to cause infinite loops; deletion of encrypted administrative data; developer research into hiding processes and privilege escalation prior to exit.
## Response Actions
- Containment: Immediate efforts to counter the automated kill switch and infinite loops upon activation.
- Eradication: Remediation of systems affected by the service crashes and login blocks.
- Recovery: Restoration of affected services and user access; forensic analysis to link actions to the perpetrator.
## Lessons Learned
- Insider threat risk is extremely high when trusted technical employees face adverse organizational changes (scaled-down role).
- Pre-planned, time-delayed malware deployment (kill switch) represents a severe risk, even when triggered by an exit event.
- Forensic artifacts, such as extensive system administration research in search history, can be crucial evidence linking intent to action, even if operational data is deleted.
## Recommendations
- Implement robust User and Entity Behavior Analytics (UEBA) to detect anomalous administrative activity, especially privilege escalation research or large-scale file deletion research by employees with scaled-down roles.
- Review offboarding procedures to immediately revoke system access *prior* to notification, rather than relying on an automated termination trigger post-departure.
- Ensure critical system access mechanisms (like Active Directory status checks) are not solely dependent on logic tied to a specific employee's status (e.g., Lu's name incorporated into the kill switch logic).