Preventing Resource-Exhaustion Attacks By Disgruntled Insiders

March 12, 2026

Former Eaton developer Davis Lu, age 55, was sentenced to four years in prison and three years of supervised release for intentionally damaging a protected computer belonging to his former employer, power management company Eaton.

Lu had worked at Eaton for 12 years and had risen to senior developer of emerging technology before a corporate restructuring led to his demotion, after which he secretly installed a Java-based "kill switch" on the company's systems.

The malware, named "IsDLEnabledinAD" ("Is Davis Lu enabled in Active Directory"), was designed to create ever-increasing non-terminating threads in an infinite loop, exhausting server resources and crashing the network when his local network access was removed.

Eaton inadvertently triggered the malware when Lu was terminated on September 09, 2019, which brought down portions of its global corporate network, deleted some corporate data, and blocked thousands of employees from logging in.

Lu was arrested less than a month after the infection and later convicted at trial of intentionally damaging Eaton's protected computers, with authorities reporting that the attack caused hundreds of thousands of dollars in losses.

Justice Department and FBI officials described the case as an example of insider misuse of technical access and emphasized the importance of early identification of insider threats in corporate environments.

Source: https://www.tweaktown.com/news/107281/developer-sentenced-to-prison-after-nuking-corporate-network-with-revenge-malware/index.html

Commentary

In the above matter, the former employee is accused of creating "non-terminating threads in an infinite loop". Non-terminating threads in an infinite loop are execution paths that start running and never reach a normal exit condition because their loop condition is always true or never updated in a way that allows the thread to finish.

In a malicious context, each such thread repeatedly performs work without stopping, and when many of these threads are created, they can collectively consume CPU cycles, memory, and other system resources until the underlying server or application becomes unresponsive or crashes. When the loop logic also allocates memory, opens connections, or writes to disk without proper limits, resource exhaustion accelerates and can propagate across clustered or dependent systems.

This type of attack crashes systems by overwhelming core resources that the operating system and other applications need to function. Excessive thread creation increases the number of active execution contexts the scheduler must manage, driving CPU utilization to sustained high levels and increasing context switching overhead.

As more threads run infinite loops, queues, memory pools, and other shared structures fill or fragment, which can trigger out-of-memory conditions, watchdog timeouts, and failures in authentication, logging, or organization services that depend on timely access to those resources. In networked environments, these failures can cascade into broader outages when identity services, file shares, or application backends become unavailable or start refusing connections.

From a loss prevention and insider threat perspective, several patterns can indicate that an insider has created non-terminating threads in an infinite loop including:

·      Unexplained spikes in thread counts for a particular process, especially shortly after a personnel action such as a role change, access revocation, or termination. These are key technical indicators when correlated with abnormal CPU and memory consumption for that process.

·      Unusual executable names, scheduled tasks, or services tied to an individual's account, particularly those put into use shortly before a departure or privilege change. These,\ warrant prompt review.

From a solely loss prevention standpoint, source code, configuration repositories, and deployment pipelines should be monitored for new or modified components that instantiate large numbers of threads or loops with no clear termination condition or external control, especially where those components are linked to authentication, access control, or shutdown events.

Centralized logging and application performance monitoring can support early detection by flagging sudden degradations in performance, repeated failures to service routine requests, and recurring patterns that align with code paths owned or modified by a specific insider.

The final takeaway is that before termination of a person with the ability to harm or degrade a system, steps must be taken to ensure that a "poison pill" has not been created to trigger at the time of the termination and, if it has, dismantle it prior to the termination.

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

Preventing Resource-Exhaustion Attacks By Disgruntled Insiders

A former employee is sent to jail for creating "infinite loops". We examine how non-terminating threads can crash critical systems.

Exposed Images, Exposed Trust: Lessons From A $10 Million Breach

A medical clinic settles a breach for $10M. We discuss the risks of image-heavy electronic health records and steps healthcare leaders can take to strengthen cybersecurity.

Recognize The Red Flags Of Invoice Fraud Before It Is Too Late

County law enforcement warns local businesses of an invoice scam impacting the community. We examine the red flags of invoice fraud.

Are Employees Excited About AI Adoption? You Make The Call

A survey shows participating employees are actually enthusiastic about AI, but management is fumbling the roll-out. What are your thoughts? You make the call and join the conversation.

Meal Break Strategies To Reduce Wage And Hour Risk For Healthcare

A nurse brings a wage and hour claim regarding wrongful deductions related to meal breaks. We investigate and provide tips for healthcare organizations to lower their risk.