Description: A Disney employee, Matthew Van Andel, reportedly downloaded AI-powered malware allegedly developed by the cybercriminal group NullBulge, resulting in a major cybersecurity breach. Hackers purportedly accessed Disney's Slack system, exposing 44 million internal messages, employee and customer data, and financial records. NullBulge also reportedly leaked Van Andel’s personal financial information, leading to identity theft and his eventual termination.
Editor Notes: Reconstructing the reported timeline of events: (1) April–June 2024: The NullBulge group reportedly emerges, targeting AI and gaming communities. (2) May–June 2024: NullBulge conducts supply-chain attacks by distributing malware-laden code on GitHub, Reddit, and Hugging Face, compromising ComfyUI_LLMVISION and distributing malicious BeamNG mods. (3) June 4, 2024: A BeamNG community forum thread warns that "BeamNG mods are not safe anymore." (4) Late June 2024: NullBulge announces a leak of Disney-related data, including .web publishing certificates and animation assets from DuckTales. (5) July 11, 2024: NullBulge posts a countdown for the release of a 1.2TB archive of Disney’s internal Slack communications. This incident ID marks this as the incident date as it is also the date reported by The Wall Street Journal when Matthew Van Andel became aware of the hack. (6) July 12, 2024: NullBulge releases the Disney Slack data, allegedly containing 44 million messages. (7) July 16, 2024: SentinelLabs publishes a report detailing NullBulge's operations, malware tactics, and attack methods. The SentinelOne investigation can be read here: https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/.
Entities
View all entitiesAlleged: NullBulge , GitHub , hugging face , Reddit , BeamNG , Slack , Discord and 1Password developed and deployed an AI system, which harmed Matthew Van Andel , Disney employees and Disney.
Incident Stats
Incident ID
950
Report Count
2
Incident Date
2024-07-11
Editors
Daniel Atherton
Incident Reports
Reports Timeline
See the original report on SentinelOne for more information on the indicators of compromise.
Executive Summary
- SentinelLabs has identified a new cybercriminal threat group, NullBulge, which targets AI- and gaming-focused entities
- In July 2…
The stranger messaging Matthew Van Andel online last July knew a lot about him---including details about his lunch with co-workers at Disney DIS 1.18%increase; green up pointing triangle from a few days earlier.
His mind raced; he knew no o…
Variants
A "variant" is an incident that shares the same causative factors, produces similar harms, and involves the same intelligent systems as a known AI incident. Rather than index variants as entirely separate incidents, we list variations of incidents under the first similar incident submitted to the database. Unlike other submission types to the incident database, variants are not required to have reporting in evidence external to the Incident Database. Learn more from the research paper.
Similar Incidents
Did our AI mess up? Flag the unrelated incidents
Similar Incidents
Did our AI mess up? Flag the unrelated incidents