According to the US Department of Justice, Ryan Mitchell Kramer has pleaded guilty to accessing a computer and obtaining information, and threatening to damage a protected computer, as well as to two felony charges that each carry a prison sentence of up to five years. Kramer is behind the 2024 hack targeting The Walt Disney Company. The media giant launched an investigation into the incident in July 2024, after a threat actor calling itself NullBulge announced the theft of 1.1 Tb of data from Disney’s internal Slack channels, including messages, information on unreleased projects, login credentials, and source code. NullBulge claimed to be a “hacktivist group protecting artists’ rights and ensuring fair compensation for their work.”
Cyber security firm SentinelOne detailed NullBulge’s activities, pointing out that their actions contradicted their hacktivism claims. SentinelOne analyzed how the threat actor targeted AI and gaming-related entities with ransomware and other malware through malicious code planted on platforms such as GitHub and Hugging Face. The malicious code distributed by Kramer was disguised as a tool for creating AI-generated art. But in reality, it would deploy malware that enabled the hacker to gain access to the victim’s device.[1]
In the case of Disney, an employee downloaded the fake AI tool on his personal computer. The credentials stored on the compromised device enabled Kramer to gain access to the Slack account used by the employee as part of his job at Disney. This enabled the hacker to steal vast amounts of information from thousands of Slack channels operated by Disney.
The DOJ said the hacker, while claiming to represent the NullBulge hacktivist group, allegedly based in Russia, attempted to extort the Disney employee. When the employee failed to respond, Kramer leaked his personal information along with the stolen Disney files.
Disney reportedly decided to stop using Slack for in-house communication following the data leak.
The employee who downloaded the malware and enabled Kramer to gain access to Disney data was terminated for misconduct following the incident. The man filed a wrongful termination complaint against the media giant. Authorities said Kramer admitted to hacking into the computers and accounts of at least two other victims, but they have not been identified.
In an unrelated Disney hacking story, a former Walt Disney World worker was sentenced last month to three years in prison for breaking into the company’s servers to cause disruptions and manipulate menus.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.securityweek.com/man-admits-hacking-disney-and-leaking-data-disguised-as-hacktivist/
Comments