Malicious Code U.S. Company Infiltration Leads to Chinese Developer's Imprisonment
In a case that highlights the potential dangers of insider threats, Chinese software developer Davis Lu has been sentenced to four years in prison and three years of supervised release. Lu, aged 55, was convicted by the US Department of Justice (DoJ) in March 2023.
The malicious activity took place while Lu was employed as a software developer for an unnamed victim company headquartered in Beachwood, Ohio, between November 2007 and October 2019. Acting Assistant Attorney General Matthew R. Galeotti stated that Lu breached his employer's trust by sabotaging company networks, causing hundreds of thousands of dollars in losses.
The damage was caused by deploying malicious code, including a "kill-switch," in the network of his US employer. This malicious code created "infinite loops," exhausting Java threads and causing server crashes, preventing user logins, and deleting coworker profile files. By August 2019, Lu had introduced malicious code that caused system crashes and prevented user logins, impacting thousands of company users globally.
The insider activity was motivated by disgruntlement with the employer, following a corporate realignment that reduced his responsibilities and system access. Investigators found that Lu had researched methods to escalate privileges, hide processes, and rapidly delete files. On the day he was directed to turn his laptop in, Lu deleted encrypted data.
A kill switch was implemented in the code, locking out all users if Lu's credentials in the company's active directory were disabled. The kill switch was automatically activated when Lu was placed on leave and asked to surrender his laptop on September 9, 2019. No suggestion of nation-state involvement was found in the case.
The Criminal Division is committed to identifying and prosecuting those who attack US companies, whether from within or without. Lu's conviction serves as a reminder of the importance of safeguarding company networks and the consequences of intentional damage to protected computers.
