A Texas man formerly employed by an Ohio company has been found guilty by a federal jury for malicious activity that wreaked havoc on his ex-employer's network systems. Identified as Davis Lu, the 55-year-old hailing from Houston had worked as a software developer at the Ohio-based firm for over a decade before a corporate shake-up in 2018 brought reduced roles and lower system access that fueled his damaging actions.
During his tenure from November 2007 to October 2019 at the company in Beachwood, Ohio, Lu seemed like any other staff member. However, following changes within the company that not only trimmed his responsibilities but his system access as well, things turned sour. According to the evidence at trial, Lu retaliated by deploying malicious code into the company's system, as the U.S. Department of Justice reported.
This sabotage on August 4, 2019, involved creating "infinite loops," a concept designed to overwhelm servers by endlessly generating new tasks without proper shutdown, causing server crashes and blocking users from logging in. Lu went further, deleting coworkers' profile files and creating a "kill switch" that effectively locked all users out of the system if his own company credentials were disabled—a function he ominously termed "IsDLEnabledinAD," short for "Is Davis Lu enabled in Active Directory."
What's more chilling is that the "kill switch" was activated immediately after his termination on September 9, 2019, globally impeding the operations of countless users. Further investigation into Lu's conduct uncovered that he had searched for ways to delete files rapidly and conceal his cyber tracks. The damage to the Ohio company ran deep into the hundreds of thousands, with Lu's spiteful endeavor striking against businesses and groups across diverse sectors. "Mr. Lu was calculating in his intent to inflict damage to a company that provides products and services to businesses and organizations that span a variety of industries and fields," explained Acting U.S. Attorney Carol M. Skutnik, according to the same DOJ release.
Lu now faces a maximum penalty of 10 years in prison for his deliberate onslaught on the protected computer systems, with a sentencing date yet to be announced. "Sadly, Davis Lu used his education, experience, and skill to purposely harm and hinder not only his employer and their ability to conduct business safely, but also stifle thousands of users worldwide," lamented FBI Special Agent in Charge Greg Nelsen, in an account noted by the same DOJ statement. A federal district court judge will eventually decide the sentence, considering the U.S. Sentencing Guidelines and other statutory factors.
