How a 55‑Year‑Old Engineer Sabotaged Eaton’s Global Network – Key InfoSec Lessons

A 55‑year‑old programmer named Davis Lu, who had worked at Eaton Corporation for over 12 years, feared being laid off after a corporate restructuring in May 2019. In August 2019 he covertly inserted multiple malicious Java programs into the company’s production system in Kentucky.

One of the programs ran an infinite loop that continuously created non‑terminating threads, exhausting server resources until the system crashed. He also added code to delete user files and a “kill‑switch” called IsDLEnabledinAD (meaning “Is Davis Lu enabled in Active Directory”). Additional payloads were named “Hakai” (Japanese for “destruction”) and “HunShui” (Chinese pinyin for “sleep” or “murky water”).

When Lu was formally terminated on September 9 2019, the kill‑switch activated, instantly locking thousands of employees out of the system and causing an estimated loss of tens of thousands of dollars.

On the same day he returned the company laptop, he deleted large amounts of encrypted data, attempted to erase Linux directories and several code repositories, and his browser history revealed searches for “how to elevate privileges,” “how to hide processes,” and “how to quickly delete large folders.”

Although he confessed to the FBI in October 2019, he refused to plead guilty during trial. In March 2023 the U.S. Department of Justice sentenced him to four years in prison plus three years of supervised release, rejecting his request for an 18‑month term.

Eaton, founded in 1911 and headquartered in Ohio, employs about 85,000 people worldwide and generated over $23 billion in revenue in 2023. The incident underscores the severe impact of insider threats.

Assistant U.S. Attorney Matthew Galeotti emphasized that the defendant abused employer trust, leveraged privileged access, and caused significant disruption, noting that the DOJ will pursue both internal and external attackers.

Security experts point out that Lu’s tactics were technically simple: abusing privileged access and launching a resource‑exhaustion denial‑of‑service attack. They recommend robust segregation of duties, regular audit of permissions, and continuous monitoring of system logs for anomalous behavior.

The case serves as a cautionary tale for technologists: technical skills should create value, not destruction. Organizations must strengthen internal security controls and off‑boarding procedures to prevent similar sabotage.