- Texas software developer convicted for sabotaging Eaton Corp’s systems with malicious code after a corporate reshuffle reduced his role.
- Planted a “kill switch” that automatically triggered upon his termination, disrupting thousands of employees and causing major financial losses.
- Attempted to cover tracks by deleting encrypted files and researching ways to escalate privileges and hide malicious activities.
A Texas-based software developer has been convicted of deliberately sabotaging his former employer’s computer systems after a corporate reshuffle reduced his responsibilities. The U.S. Department of Justice confirmed that Davis Lu, 55, faces a maximum of 10 years in prison after being found guilty of causing intentional damage to protected computers at Eaton Corporation. His actions, including planting a “kill switch” within the company’s systems, resulted in significant disruptions and financial losses.
Lu, who had worked at Eaton Corp for 11 years, began embedding malicious code into the company’s network in 2018. Among the disruptions he caused were infinite loops that deleted user profiles, preventing employees from logging in and leading to system crashes. These sabotage tactics hampered company productivity and caused widespread technical issues. The developer named the programs “Hakai,” meaning destruction in Japanese, and “HunShui,” a Chinese term for lethargy or dormancy.
The most damaging element of Lu’s scheme was a concealed “kill switch” embedded within the network, designed to activate upon his termination. The code, labeled “IsDLEnabledinAD,” stood for “Is Davis Lu enabled in Active Directory” and was programmed to automatically trigger if his account was deactivated. When Lu was laid off on September 9, 2019, the malicious script executed, affecting thousands of employees and causing losses amounting to hundreds of thousands of dollars.
Eaton Corp’s software engineers discovered the sabotage while investigating persistent system failures. They traced the harmful code back to a server accessible only by Lu, containing additional malicious scripts and the kill switch trigger. Digital forensics linked the execution of these scripts to Lu’s user ID, providing concrete evidence of his involvement in the cyberattack.
Further investigation revealed Lu had attempted to cover his tracks. When asked to return a company-issued computer, he deleted encrypted volumes, tried to erase Linux directories, and removed two work projects. Authorities also found evidence of internet searches on escalating system privileges, hiding processes, and deleting large files. The court’s findings highlight the severity of Lu’s actions, with sentencing expected to reflect the extensive damage caused to his former employer.
