In The News

‹ Back

This article can also be found on LinkedIn.  No login necessary.

In any economy, a business may decide to restructure its operations.  But when uncertainty strikes, a business may need to restructure earlier than planned or in ways they hadn’t thought of.  Not being fully prepared before disrupting the regular course of business can lead to key questions not being addressed during the process.

 

Key questions such as “How do we restructure responsibilities?” and “How much damage can a ticked-off employee inflict on the business?”

 

Q:  How much damage can a ticked-off employee inflict on your business?

 

In case you’ve never thought of this last question, the answer may lie in a recent court case out of Ohio, USA.

 

After 9-1/2 years at Eaton Corporation, Davis Lu was promoted to Senior Software Developer, Emerging Technology.  He maintained that title for 2 years before the company restructured its organization in 2018.  As a result, Mr. Lu (age 55 at the time of sentencing) was demoted - this came with reduced responsibilities and reduced access to the company servers.

 

Still employed but evidently not pleased with his modified role, he started to sabotage his employer 2 DAYS after his re-assignment (which, incidentally, was a Saturday).  He wrote a variety of malware (which he stored on the company’s internal development server) that did the following:

• one program, in essence, created an infinite loop to keep a production computer processing until it crashed, which then prevented other employees from being able to log in to that machine

• another piece of code was designed to delete employee profiles

• a “kill-switch” was embedded that would block all user logins once his own credentials were revoked in Active Directory; that kill-switch ended up affecting 1000’s of users worldwide

 

Separately, upon his termination, he chose to delete and encrypt data on his company-issued laptop once he was told to return it to the company.

 

The court documents did not mention any reduction in Mr. Lu’s pay so it appears his actions were the result of his functional demotion and a very bruised ego.

 

But before you think, “We don’t have any IT developers at our company so that could never happen to us”, any employee (especially those with elevated privileges/access to systems, accounts or functions) has the ability to sabotage their employer should they feel a need to do so.

 

Fraud happens in every industry ... in any size business ... in every economy.

 

What can you do?

1️⃣ KYE (Know Your Employees) 👩🏼🧓🏼👦🏼:  get to know them BEFORE there are issues and attempt to establish a baseline (this is linked closely to #2 below).

 

Has Bob come to work early every day for 2 years but now he’s always late?

Is Jane, who normally works 9-5 and takes all her breaks, rarely ever leaving her desk now and works late most nights?

Are there key team leaders or managers who no longer seem interested in managing their teams?

 

2️⃣ Look for indicators of fraud (or “red flags”) 🚩:  Mr. Lu, based on his internet activity, had spent time researching how to “escalate privileges, hide processes, and rapidly delete files” which hinted at his malicious intentions.

 

3️⃣ Routine system audits 🔎:  inspect files, services and programs on any development / production servers, especially for unusual installation times via unexpected accounts, or for changes to folders where no change should exist.

 

Mr. Lu’s programs were aptly named “Hakai” (Japanese word for destruction), “HunShui” (Chinese word for sleep) and “IsDLEnabledinAD” (based on ‘Is Davis Lu enabled in Active Directory’), and were stored on company servers located in another state.

 

4️⃣ Be extra vigilant with a distributed workforce 🌎:  Mr. Lu was from Pittsburgh, the victim organization was based in Ohio, the server housing the malware was in Kentucky, and the company operated worldwide.

 

Key Points to Ponder

💡 Mr. Lu had malware ready to deploy within 2 DAYS after being re-assigned to his new team but the court documents stated that he was charged with unauthorized access “during a 1-year period”.  Both these facts imply that he was unhappy with his job and/or employer long before he was demoted.

 

💡 Employees in “special departments” (like Emerging Technology) often get carte blanche in their activities because the rest of the company may not know or understand what that department does.  These teams – especially those with significant access to key resources – still need to be managed … closely.

 

Protect Your Business

In 2023, occupational fraud costs businesses an estimated $3.1 billion in losses (ACFE, 2024).

 

If you think fraud may be occurring within your business, a preliminary investigation can help stop it before it gets worse.  An investigation can also identify any weaknesses in internal controls – helping your business to proactively reduce the risk of fraud.

 

Contact IridiumITI and find out how to protect your business from fraud and cyber crime.

 

#Fraud #CyberSecurity #CyberCrime

Article Reference:  District of Ohio v. Davis Lu, Case # 1:21-CR-226-PAB, found at https://regmedia.co.uk/2025/03/07/lu.pdf

ACFE.  (2024).  Occupational Fraud 2024:  A Report To The Nations [PDF].  Retrieved from https://www.acfe.com/-/media/files/acfe/pdfs/rttn/2024/2024-report-to-the-nations.pdf