Full Report
Software developer Davis Lu was found guilty of sabotaging the company's systems. © 2024 TechCrunch. All rights reserved. For personal use only.
Analysis Summary
# Incident Report: Malicious Insider Sabotage via Network 'Kill Switch'
## Executive Summary
A former software developer at a large corporation intentionally sabotaged the company's network by implementing a dormant "kill switch" tied to his former credentials. When his employment ended, the script automatically activated, causing widespread network disruption globally and resulting in hundreds of thousands of dollars in losses. The actor was subsequently identified, tried, and convicted of causing intentional damage to computer systems.
## Incident Details
- **Discovery Date:** September 9, 2019 (Implied based on activation date)
- **Incident Date:** September 9, 2019 (When the kill switch activated)
- **Affected Organization:** Former employer of the developer (Implied a large corporation, possibly Eaton Corp based on source linkage)
- **Sector:** Technology/Software Development (Context implies a large enterprise environment)
- **Geography:** Global (Affecting thousands of employees globally)
## Timeline of Events
### Initial Access
- **Date/Time:** Before September 9, 2019 (Implied during period of employment following restructuring)
- **Vector:** Malicious Insider Threat (Authorized access as an employee/developer)
- **Details:** The developer created and implemented a "kill switch" code designed to lock out all company employees from the network if his credentials were ever deactivated.
### Lateral Movement
- Not explicitly detailed. The action was a pre-planned, system-wide activation upon departure, rather than complex lateral movement post-intrusion.
### Data Exfiltration/Impact
- **Impact:** Widespread system disruptions affecting thousands of employees globally resulted from the network lockout.
- **Damage:** The company incurred "hundreds of thousands of dollars in losses." The script also involved deleting data, as suggested by the conviction details.
### Detection & Response
- **Detection:** The disruption was noticed immediately upon the attacker's termination impacting all users.
- **Response actions taken:** The incident led to significant system restoration efforts and subsequent legal action culminating in a federal jury conviction.
## Attack Methodology
- **Initial Access:** Authorized access via developer credentials prior to termination.
- **Persistence:** The malware/script was embedded, designed to persist until a specific trigger (credential deactivation) was met.
- **Privilege Escalation:** Not applicable; the developer acted within existing, high-level system maintenance privileges.
- **Defense Evasion:** The mechanism (named referencing Active Directory status: "IsDLEnabledinAD") was designed to evade immediate detection by remaining dormant until a predictable administrative action occurred.
- **Credential Access:** Not applicable; the attack relied on utilizing existing, legitimate credentials as a trigger.
- **Discovery:** Not applicable; the activity was internal sabotage rather than external reconnaissance.
- **Lateral Movement:** Not applicable; the impact was comprehensive network lockout.
- **Collection:** Data deletion occurred, though specific collection methods aren't detailed.
- **Exfiltration:** Not specifically mentioned, but data deletion was a consequence.
- **Impact:** Denial of Service/System Sabotage (locking out all employees).
## Impact Assessment
- **Financial:** Hundreds of thousands of dollars in losses for the company.
- **Data Breach:** Data deletion occurred (specific volume unknown).
- **Operational:** Widespread system disruptions affecting thousands of employees globally.
- **Reputational:** Not quantified, but significant disruption often impacts reputation.
## Indicators of Compromise
(Due to the nature of the incident being an insider action using legitimate access leading to a predetermined script execution, traditional IoCs are observational rather than pre-attack artifacts):
- **Network indicators:** System-wide connectivity failure contingent on specific user account status.
- **File indicators:** The presence of the custom script named/referenced as referencing "IsDLEnabledinAD".
- **Behavioral indicators:** Sudden, simultaneous lockout of thousands of user accounts tied to a single administrative event (credential deactivation).
## Response Actions
- **Containment measures:** Implied immediate isolation and disabling of the mechanism causing the lockout ("kill switch").
- **Eradication steps:** Rebuilding affected systems and removing the malicious code.
- **Recovery actions:** Restoring network access for thousands of employees and mitigating the financial losses.
## Lessons Learned
- **Key takeaways:** Security controls must account for malicious actions by trusted insiders, especially during personnel transitions or restructuring events that alter access levels.
- **What could have been done better:** Stronger controls over administrative script deployment, segregation of duties for deployment vs. account management, and implementing pre-termination access review procedures that analyze dormant scripts attached to active accounts.
## Recommendations
- Implement rigorous controls and automated audits for high-privilege scripts or administrative tools left on the network.
- Ensure critical access rights (like Active Directory management) are not tied to a single individual's active employment status.
- Develop and swiftly implement off-boarding procedures that scan for and deactivate access rights simultaneously with reviewing any custom code associated with that departing user's privileges.