We’re all familiar with the trials and tribulations caused by malware attacks from outside.
Well-known malware types include:
With so many different malware strains to eat up your time and vigilance, just how safe do you think you are against malware enabled or implanted by disaffected insiders?
Many ransomware criminals target large organizations with the goal of causing such widespread disruption that they demand (and sometimes receive) blackmail payoffs of hundreds of thousands or even millions of dollars.
Sometimes, instead of buying up passwords from so-called Initial Access Brokers (IABs), or scanning for unpatched security holes, or using social engineering tricks to talk their way in, attackers directly bribe insiders to launch the malware for them.
In mid-2020, for example, Russian cybercriminal Egor Igorevich Kriuchkov was arrested and charged with conspiring to “recruit an employee of [US car manufacturer Tesla] to facilitate the transmission of malware into the targeted company’s computer system,” and to pay the unnamed employee $1,000,000 for introducing the malware successfully.
(Kriuchkov pled guilty, was sentenced to time served, meaning that he was considered to have completed a sufficient prison sentence during the 10 months he spent in custody awaiting trial, and deported to Russia.)
But what if the insider not only implants malware intended to attack your business, but also deliberately creates it in the first place, tailored around their intimate knowledge of your infrastructure and operations?
Fortunately, attacks of this sort are comparatively rare, but they can be difficult to spot proactively.
Insider-created malware is often written for very different reasons than the malware used by mainstream cybercriminals, who are commonly driven by motives such as financial greed, industrial espionage, or state-level political and intelligence leverage.
Here’s a recent criminal case that took six long years from detection and investigation to sentencing.
This attack was motivated, it seems, entirely by personal bitterness and a desire for revenge.
In August 2019, a US software engineer named Davis Lu, who lived in Pennsylvania but worked mostly remotely for a large power management company based in Ohio, was demoted to a less glamorous job, apparently as part of a “corporate realignment,” or re-org, carried out around that time.
Lu seems to have been sufficiently aggrieved about the role he was pushed into after the re-org that he took his anger out on his employer almost at once, abusing his remaining access privileges to poison the very farm that fed him, so to speak.
His malicious implants, according to his original indictment, included:
In September 2019, Lu was dismissed, presumably because, as the indictment points out, he was “the only developer with access to the development server” where the rogue DoS code had run, and the malicious code had been launched under his own user ID.
We’re assuming that the word “access” above doesn’t refer to users of the server who simply submitted jobs such as software builds that the server would run for them, but instead refers to the ability to log into, configure, and manipulate the server itself.
At this point, when Lu was removed from the company systems, his revenge code kicked in, the kill-switch was triggered, and, as the Department of Justice notes in its press release about his eventual conviction, “impacted thousands of company users globally.”
Lu, it seemed, made little effort to cover up his criminality, given that he was an obvious suspect in the server-crashing incident, and had given the account monitoring kill-switch code the name IsDLEnabledinAD().
Microsoft’s own official abbreviation for Active Directory, the user and system management database at the heart of Windows networks, is AD, and DL, rather obviously, are Davis Lu’s own initials.
Further suspicious behavior by Lu, says the US Department of Justice (DOJ), included encrypting chunks of his company laptop before returning it after being fired, but nevertheless leaving behind internet search history showing an explicit interest in how to “escalate privileges, hide processes, and rapidly delete files.”
The DOJ doesn’t say whether Lu’s unusual search terms were left behind unencrypted on his otherwise scrambled laptop, or somehow recovered from firewall logs elsewhere on the network. Either way, the evidence suggests that Lu used company resources not only to deploy his malware but also to research it in the first place.
What’s interesting in this case is just how slowly the wheels of justice sometimes grind in cybercrime cases.
By October 2019, Lu’s indictment states, he had already “admitted to investigators that he created the [DoS] code.”
Apparently he was offered a chance to plead guilty, save the cost of a trial, and receive a non-custodial sentence, meaning that even if he were given time in prison, the sentence would be suspended so he wouldn’t actually be locked up.
But Lu decided to roll the dice and go to trial, presumably hoping that a jury would accept that although he “acknowledged writing the code in question, [nevertheless] he maintained that his code was not responsible for the servers repeatedly crashing.”
Perhaps he hoped that if the jury was willing to accept he’d been framed for running the DoS attack in the first place, they’d also accept that his suspicious search history and the unfortunately-named IsDLEnabledInAD() function were also part of a deliberate stitch-up.
His indictment wasn’t filed until April 2021, and his trial didn’t take place until early 2025, at which point Lu found out that the jury didn’t buy his defense that although he admitted to writing some of the malware, someone else must have done the dirty work of actually running it.
Lu was found guilty, and the DOJ noted at the time that he could receive up to 10 years (120 months) in prison.
At sentencing, however, the prosecution argued for around six years (63 to 78 months).
Predictably, the defense aimed for a much more lenient punishment, suggesting just 18 months in custody.
Lu’s attorney stated that he “maintains that [his] program had a legitimate purpose and denies any malicious intent in creating the code,” an intriguing claim given that its side-effect of abruptly and deliberately locking out other users was not contested.
The defence further claimed that “he also denies that his code was the cause of the server crashes[; n]evertheless, he understands and respects that the jury concluded otherwise.”
Ultimately, Lu got four years, followed by three years of supervised release.
Remember all of the following:
Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Featured image of Emergency Button by Jakub Żerdzicki via Unsplash.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
