Earlier this week, Ryan Mitchell Kramer, 25, of Santa Clarita, pleaded guilty in Los Angeles County Superior Court to hacking the personal device of an employee of The Walt Disney Company in 2024. Kramer managed to obtain login information that allowed him to illegally access the employee's Slack account to access confidential data.
There are several charges against Kramer, including one charge of accessing a computer and obtaining information, and another charge of threatening to damage a computer, each of which carries a maximum sentence of up to five years. Several years ago, a hacker group known as NullBulge claimed on a hacker forum that it had stolen 1.1TB of data from Disney's internal Slack channels in 2024.
It is believed that this caused Disney to open an investigation into this matter, in which it is suspected that the information was a combination of unreleased projects and source code, as well as login credentials, as well as information concerning unreleased projects.
After Kramer stopped responding to the Disney employee, the discussion collapsed, so Kramer posted on July 12, 202,4, 1.1 terabytes of data collected from Disney Slack channels, along with personal, medical, and bank information about the employee.
It is believed that the Wall Street Journal first reported the breach.
According to their report, the cache contained revenue figures for Disney products such as Disney+ and ESPN+, as well as credentials for logging into the cloud infrastructure. In August of 2024, the company admitted the hack occurred but claimed that the incident had not negatively impacted its operations in any material way.
To gain access to the Disney employee's computer, Kramer uploaded software to platforms like GitHub purporting to make art created by artificial intelligence. As a matter of fact, in July 2024, the cybersecurity company discovered that Nullbulge was Kramer, who, in reality, was Nullbulge, who seeded several online platforms, including Hugging Face, Reddit, and GitHub, with backdoored software.
Kramer had also exfiltrated data onto a Discord channel.
It wasn't long after Kramer had obtained the 1.1 TB of internal data he needed to cash in on the situation, because he claimed to belong to NullBulge, a Russian-based hacker group. He informed the victim that unless a ransom was paid, all information would be released. It is important to note that officials said Kramer only claimed affiliation with NullBulge, but that he was, it would appear, not a member.
It seems likely that this is the case, since many hacktivist groups in the Russian Federation have been moving on to bigger and better things in the last few years.
Kramer then proceeded to fully dox the victim by disclosing their personal information across multiple platforms, including their bank, medical, and other personal details. Kramer's malicious GitHub project appears to have been downloaded by at least two more people, and their computers have been remotely compromised as a result.
A statement on the extent to which those victims' data might have been harvested was not released, however, the FBI is still investigating the matter, which was first reported to the FBI. It seems like a busy week for the federal government when it comes to law enforcement, as this guilty plea brings to a close.
In the early morning hours of the day, officials announced a pair of big moves in regards to Raytheon's data breach penalty of $8.4 million and a rare extradition victory in its case against an alleged Ukrainian malware attacker.
In accordance with the Wall Street Journal, one of the people who downloaded the program was a Disney employee by the name of Matthew Van Andel, who used the program to execute on his computer. Kramer gained access to his device and the passwords stored in his 1Password password manager based on the stolen credentials of Van Andel.
Kramer was able to download 1.1TB of corporate data using Van Andel's stolen credentials, which gave him access to Disney's Slack channels.
The plea agreement that BleepingComputer saw says, "The defendant gained access to private Disney Slack channels by gaining access to M.V's Slack account, and in or around May 2024, the defendant downloaded approximately 1.1 terabytes of confidential data from thousands of Disney Slack channels," according to the plea agreement.
Kramer then contacted Van Andel in the name of a Russian hacktivist group called "NullBulge", warning him that if he did not cooperate, his personal information and Disney's stolen Slack data would be published.
According to NullBulge, they claim to be a Russian hacktivist organisation that is protecting artists' rights, ensuring fair compensation for their work, and promoting ethical practices.
Researchers from SentinelOne, on the other hand, analysed the threat group's activities and concluded that the group's actions contradicted what it had claimed. Kramer distributed malicious software disguised as a tool for generating art by artificial intelligence, which he used to access the devices of his victims.
After the Disney employee downloaded Kramer's fake AI tool, he was able to access their device, allowing Kramer to access corporate data that was later confidential to Disney.
When he failed to receive a response from the Disney employee, Kramer leaked his personal information along with the stolen Disney files, attempting to extort him. The company, which had been using Slack for communications until after the discovery of the data leak, has since stopped using Slack for communications, fired the employee who downloaded the fake AI tool, and filed a lawsuit against Disney for wrongful termination.
It is important to note that Kramer admitted to his plea agreement that he also admitted that at least two other victims had downloaded his malicious file, enabling him to gain access to unauthorised computers and accounts. However, these two victims have not been identified at this time. As part of its investigation into this matter, the FBI is continuing to work on it.
In the case of Ryan Mitchell Kramer, the skills of social engineering and malware have become increasingly sophisticated, and the risks posed, especially by those disguised as legitimate artificial intelligence applications, are growing.
This guilty plea serves not only as a reminder of the vulnerabilities that can arise from trusted internal platforms such as Slack, but it also serves as a cautionary tale for both businesses and individuals to conduct more rigorous testing on third-party software in the future.
As the federal investigation is ongoing and broader consequences of the breach are still being assessed, the incident reinforces the importance of proactive cybersecurity measures, robust employee training, and rapid internal response to threats posed by digital technologiTor to stay saorganisationsions need to reevaluate their security protocol and remain vigilant against emerging threats that take advantage of trust and technology to cause harm to them.
