A California man agreed to plead guilty to two criminal charges related to a leak at
the Disney company that resulted in more than a terabyte of confidential files and communications logs being exposed.
The
Department of Justice announced that Ryan Kramer of Santa Clarita, California, compromised an employee workstation and then leveraged those stolen credentials to gain access to further systems within the children’s entertainment empire.
The 25-year-old also awaits sentencing for one count of threatening to damage a protected computer. Each felony count carries a maximum of five years in federal prison, though such tough sentences are rarely handed down in these cases.
Poisoned projects cited as entry point
According to federal prosecutors, the attacks began with a poisoned GitHub package aimed at developers and artists. The project presented itself as an AI-powered image generation tool that would, by nature, appeal to those who worked at a major animation studio such as Disney.
The GitHub project contained a secret bit of nastiness within its payload, however. Kramer embedded a backdoor into the user’s system. The hacker struck gold between April and May of 2024 when a Disney employee download and executed the malicious payload.
It is believed that Kramer then used that backdoor into the victim’s machine to harvest their network and online credentials for various Disney platforms, including multiple company Slack chats and confidential data storage.
When it was all said and done, prosecutors say that Kramer was able to soak up some 1.1 TB worth of company data and Slack chat logs.
Russia enters the picture
Armed with 1.1 TB worth of internal information, Kramer then made his move to cash in. Claiming to be a member of the Russian-based hacking group NullBulge, he told the victim that unless a ransom was paid, all information would be released.
It should be noted that officials said Kramer only claimed affiliation with NullBulge and was, apparently, not an actual member of the group. This is likely the case as many hacktivist groups in Russia have
moved on to bigger and better things as of late.
When the victim did not respond to the threats, Kramer then proceeded to completely dox the victim, releasing personal information, including bank, medical, and other personal details across multiple platforms.
It is believed that at least two other people downloaded Kramer's malicious GitHub project and had their systems remotely compromised. No word was given on the extent to which those victims’ data might have been harvested, but the FBI is said to still be investigating the matter.
The guilty plea wraps up what has been a busy week for the federal government, in terms of law enforcement. Earlier in the day, officials announced a
pair of big moves in the form of an $8.4 million data breach penalty against Raytheon and a rare extradition win in its case against an alleged Ukrainian malware operator.
