A hacktivist group claims to have stolen and leaked over a terabyte of data from Disney’s internal slack channels.
The 1.1 terabyte of data includes a complete 10,000 channel data dump that encompasses files, messages, unreleased projects, raw images and code.
The group also claims to have some logins, links to internal API/web pages “and more”.
Disney has since confirmed to the BBC that it is now investigating the hack.
The attacker, NullBulge, claims to be a hacktivist group protecting artists' rights and ensuring fair compensation for their work.
On its website, the group claims: “We believe AI-generated artwork harms the creative industry and should be discouraged.”
NullBulge operate a blog hosted on nullbulge[.]se and nullbulge[.]co promoting their group and to leak data. The blog hosts Tor and magnet links that they claim are disseminating the stolen data.
The blog nullbulge[.]se was registered on 2024-06-14. NullBulge also appears to have joined X (formerly Twitter) in June 2024 and its first post was made on June 24, 2024.
Speaking to Infosecurity, Ian Thornton-Trump, CISO at Cyjax, explained that the torrent file sharing system being used in this hack is “fast moving” and has many seeds – seeds are users who now have copy of the files and have downloaded them. He said the torrent is of “high interest”.
There has been some reporting that the group claims to be of Russian origin. However, this has been disputed by Rafe Pilling, director of threat intelligence at Secureworks.
“We have no evidence of their claim of being Russian,” he said. “We usually see these groups focused on crime for financial gain. The language on the X feed feels more like an English speaker. One reason they may be making this claim is to give the impression that they are outside of Western law enforcement jurisdiction.”
There have been rumoured links to the LockBit ransomware gang, as they appear to be using LockBit’s leaked builder.
However, Secureworks said the group is new to them and assessed that NullBulge have not come from another group as ransomware-as-a-service affiliates tend not to create their own blogs and social media posts.
Cybersecurity Analysis of Disney Hacktivist Hack
Commenting on the hack, Jake Moore, Global Cybersecurity Advisor, ESET, said: “Compromised email accounts can have devastating long lasting effects as they can often be the door to large swathes of sensitive information.”
It is suspected that the hackers may have had inside help as they mentioned a ‘Matthew J Van Andel’ in an update on their own blog. This person is suspected to have worked at the Disney company.
Moore noted: “Whether the hackers had inside help or they used info stealing software, it highlights how even the biggest companies around the world are targeted and still suffer large data breaches.”
He continued: “Although the data from the original site has been pulled down, once the can of worms is opened, the data will never be redacted and will unfortunately remain on the internet forever.”
The entry point for NullBulge, Slack, is often targeted due to it containing highly personal information and used by many of the world’s largest organizations.
Finally, Adam Pilton, Senior Cyber Security Consultant at CyberSmart and former Detective Sergeant investigating cybercrime said it is interesting that support for NullBulge does seem to exist, at least in the comments of social media posts, where people suggest that the activity against large corporations is acceptable and in fact deserved.
“Whatever your view on NullBulge, vigilantism cannot be considered an option because once it's deemed acceptable to attack larger targets, smaller ones will inevitably be next. When society starts to justify or tolerate vigilante actions against prominent individuals or organizations, it sets a dangerous precedent.”
Image credit: Miguel Lagoa / Shutterstock.com