Security experts have warned ITPro over the risks of insider threats from disgruntled workers after a software developer deployed a 'kill switch' to sabotage his former employer’s networks.
55-year-old Davis Lu was convicted in March after being found guilty of “causing intentional damage to protected computers”, according to the US Department of Justice (DOJ).
Lu, who worked for power management company Eaton Corp, reportedly grew disgruntled at his employer after a corporate realignment “reduced his responsibilities”, the DOJ said.
Courts heard how Lu conducted a campaign of internal sabotage on the company’s networks, planting an array of malicious code and causing havoc for colleagues. This included creating ‘infinite loops’ that prevented users from logging into corporate accounts, causing system crashes, and deleting co-worker user profiles.
In a statement last month, DOJ officials said Lu named the malicious code using words such as ‘Hakai’ - the Japanese word for destruction, and ‘HunShui’, the Chinese word for lethargy.
This campaign had a significant impact on the company for some time, lawmakers said, but in a final hammer blow for Eaton Corp, a “kill switch” designed by Lu caused further havoc.
Designed to shut down systems in the event of his termination, this caused widespread disruption for staff after he was dismissed in 2019, the DOJ said.
Caught red-handed
Security personnel at the company discovered Lu’s activities while trying to solve rampant system crashes, according to court filings.
Upon discovery, they realized the malicious code causing the infinite loop was both linked to a device using Lu’s user ID, as well as a server which only he and other developers were able to access.
Lu’s search history showed he had researched ways in which to covertly delete files, hide processes, and escalate privileges, the DOJ said.
When questioned by investigators, Lu admitted to creating the code that caused infinite loops and system disruption. He faces up to 10 years in prison for his activities.
The menace of insider threats
This isn’t the first occasion of a disgruntled IT worker causing havoc for a former employer. Last year, a former employee at an unnamed industrial company in the US was arrested after waging an extortion campaign against the firm in 2023.
Infrastructure engineer Daniel Rhyne was accused of attempting to extort his company for $750,000 in Bitcoin. According to the US Attorney’s Office for the District of New Jersey, Rhyne gained unauthorized access to the firm’s computer systems by remotely accessing an administrator account.
Rhyne allegedly changed administrator passwords, shut down servers, and scheduled a series of scripts aimed at disrupting the firm’s operations. Former colleagues were then contacted with ransom demands and threats that additional servers would be shut down if these were not met.
In this instance, investigators were able to trace the extortion messages to an email address controlled by Rhyne. He was arrested in Missouri on 27 August 2024.
A similar incident occurred at a Singaporean company last year when a former employee deleted 180 virtual servers after his dismissal. IT firm NCS suffered damages of $918,000 Singaporean dollars, equivalent to roughly $678,000 US dollars.
Damian Garcia, head of GRC consultancy at IT Governance Ltd, told ITPro incidents like these are “completely preventable”, but many organizations are lulled into a false sense of security over the prospect of falling victim to insider threats.
“It just keeps happening because people get comfortable or assume it won’t happen to them,” he said. “Companies often forget that when someone leaves, especially on bad terms, there's a short window where things can go very wrong. That’s when you need to act fast. Shut down access immediately.
“Don’t leave it until someone gets around to it after the weekend.”
Offboarding shouldn’t be viewed as a “box ticking exercise”, Garcia warned, especially given the fact that people in technical roles such as sysadmins, developers, or engineers have deep access to internal systems.
“One thing people forget is that insiders don’t need to break in. They’re already in. They know the tools, the shortcuts, the gaps in your processes. That makes them harder to spot, and when they act, the impact can be huge,” he said.
“If you’re not revoking those rights straight away, you’re inviting problems.”
Bruce Jenkins, chief information security officer (CISO) at Black Duck, echoed Garcia’s comments, adding that insider threats are among his top concerns as a cybersecurity leader.
To counter potential issues when offboarding, Jenkins said firms should employ a more collaborative approach. This isn’t a process restricted to the HR department, and security teams should always be made aware, he said.
“While there are standard administrative and technical controls that may be applied to this risk area, any such consideration must be preceded by a collaborative and trusting relationship between HR, IT, and Security,” he said.
“For example, providing security with advance notice of expected layoffs, whether en masse or one-offs, allows time to allocate additional human resources to monitor technical controls associated with in-scope systems and data.
“Depending on the nature of the potential risk posed by soon-to-be-terminated employees, it may be prudent to pare back systems access based on a predefined incident response plan.”
Keeping blunders under wraps
Notably, Garcia told ITPro incidents such as these are far more common than many would believe.
The issue, however, lies in the reporting of such cases. Those that result in arrests or convictions typically grab headlines, but some companies may choose to keep things under wraps.
“It happens more than most people realize, but you won’t always hear about it,” he said. “A lot of organizations don’t want to admit when it’s an internal issue, and the risk is growing, no question.”
“As more businesses move to remote or hybrid setups, people have more ways to stay connected to systems they shouldn’t be anywhere near.”
MORE FROM ITPRO
-
A flaw in Google’s new Gemini CLI tool could’ve allowed hackers to exfiltrate dataNews The company has moved to fix a vulnerability that allowed the execution of malicious code
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crimeNews A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
Everything we know about the Allianz Life data breach so farNews The company has confirmed in a filing that data was accessed earlier this month
-
ExpressVPN updates Windows app to fix vulnerabilityNews The flaw was reported through ExpressVPN's bug bounty program
-
NCSC says ‘limited number’ of UK firms affected by SharePoint attack as global impact spreadsNews The SharePoint flaw has already had a wide impact according to reports from government security agencies
-
New hires are your weakest link when it comes to phishing attacks – here's how you can build a strong security culture that doesn't judge victimsNews Research from Keepnet shows new hires are far more likely to fall for phishing attacks – here's how you can improve security awareness during onboarding processes.
-
IT leaders are facing major work device blind spots – and it's putting security at riskNews The use of unauthorized devices is putting enterprises at huge risk
-
Okta and Palo Alto Networks are teaming up to ‘fight AI with AI’News The expanded partnership aims to help shore up identity security as attackers increasingly target user credentials
