A federal jury convicted Davis Lu, a 55-year-old former software developer at Eaton Corp., on charges of intentionally crippling the company’s internal computer systems through malicious code designed to activate upon his termination.
The verdict, delivered Friday after a six-day trial, underscores the escalating risks of insider threats in corporate cybersecurity.
Lu now faces up to 10 years in prison for deploying a custom “kill switch” and malware strains, including one named hakai (Japanese for “destruction”), which disrupted global operations and triggered financial losses estimated between $5,000 and hundreds of thousands of dollars.
According to a report by Cleveland, Lu, hired in 2007, saw his responsibilities diminish during a 2018 corporate restructuring that reduced his server privileges and access to critical systems.
Lu’s Malware Attack on Eaton
Prosecutors argued that Lu retaliated by embedding malicious Java code into Eaton’s production servers, creating an infinite loop of non-terminating threads that crashed systems and blocked employee logins.
The sabotage peaked on August 4, 2019, when Lu’s code triggered a cascading failure on a Kentucky-based server, locking out thousands of users globally.
Central to the scheme was a “kill switch” dubbed IsDLEnabledinAD a reference to Active Directory (AD), Microsoft’s directory service for managing user permissions.
The code checked whether Lu’s credentials remained valid in AD; upon his termination on September 9, 2019, the switch activated, systematically disabling accounts and deleting profile files.
Forensic analysts later uncovered additional malware, including hakai, a Linux backdoor linked to distributed denial-of-service (DDoS) attacks, and HunShui (Chinese for “sleep”), designed to corrupt data, reads the report.
Lu’s attack leveraged privileged access to Eaton’s development environment, where he deployed scripts resembling legitimate Active Directory management tools.
For example, PowerShell commands like those used for querying AD objects, such as Get-WMIObject -Class “Win32_BIOS,” were repurposed to mask malicious activity.
The hakai malware, linked to Mirai botnet variants, exploited vulnerabilities in Eaton’s Linux servers to establish persistent backdoor access and execute remote commands.
Investigators traced Lu’s digital footprint to encrypted volumes and Linux directories he attempted to wipe before returning his company laptop.
His search history revealed queries for “privilege escalation,” “data erasure,” and “process hiding,” corroborating intent. Lu’s code included a self-referential check IsDLEnabledinAD that echoed ADSI (Active Directory Service Interfaces) syntax used in enterprise scripting.
Legal Proceedings
The U.S. The Department of Justice emphasized the sophistication of Lu’s actions, stating he “weaponized his technical expertise to inflict maximum disruption”.
However, defense attorney Ian Friedman contested the prosecution’s financial claims, arguing losses totaled less than $5,000 and attributing the incident to “misconfigured code.”
FBI Special Agent Greg Nelsen countered that Lu’s malware caused “systemic distrust in Eaton’s operational integrity,” impacting client relationships and necessitating costly forensic audits.
The discrepancy in damage estimates hinges on whether indirect costs, such as reputational harm and emergency mitigation, are included.
The case highlights vulnerabilities in insider threat detection, particularly among employees with elevated access. Lu’s ability to bypass checks, such as deploying malicious PowerShell scripts without triggering alerts, exposes gaps in runtime monitoring and privilege management.
Judge Pamela Barker has yet to schedule sentencing, but Lu’s conviction mandates a minimum of five years’ probation and potential restitution.
Friedman confirmed plans to appeal, citing “flawed forensic methodologies” in attributing the malware to Lu. Eaton Corp., now headquartered in Dublin, Ireland, declined to comment but has since implemented stricter code review policies and real-time AD monitoring to prevent recurrence.
As Lu’s case moves to appellate courts, it serves as a cautionary tale for organizations navigating the intersection of employee disengagement and cyber risk mitigation.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
