Menu
Browse

Cyber Threat Actor: Orion

Actor Type Location Known Incidents
 Icon
Criminal
Russia
1 incident
Profile

Orion isthe alias used by a hacker who has been linked to a claimed breach of a telecommunications company's Zimbra mail server in December 2013. Publicly available sources associate the actor with Russia, although no further personal details have been disclosed. The incident came to light in November 2015 when the actor attempted to sell approximately 200,000 cleartext credentials on an underground marketplace. According to the actor's own statements, the compromise yielded around 800,000 credential pairs, of which 590,000 contained passwords stored in plaintext. The affected company reset passwords for about 200,000 accounts after the data appeared for sale.

The actor described gaining access through a directory traversal vulnerability affecting the Zimbra mail server, specifically referencing CVE-2013-7091 as the exploited flaw. No malware families or custom tooling were mentioned in the reporting; the attack relied solely on the web application vulnerability to retrieve credential data. Orion contrasted his results with those of the group NullCrew, stating that NullCrew had obtained only about 27,000 email addresses without passwords while his own effort yielded the larger credential set. This comparison suggests a loose association with NullCrew but does not establish a formal membership or hierarchical relationship. The actor's location in Russia remains the only geographic detail provided in open sources.

The alleged breach was directed at a telecommunications provider, indicating a focus on the telecom sector for the purpose of harvesting user credentials. The actor's stated motivation appears to be financial, as he attempted to monetize the stolen data by offering it for sale on a hidden marketplace. Although the victim company disputed the occurrence of the breach and suggested alternative explanations such as phishing or third‑party compromises, the reset of 200,000 passwords demonstrates a tangible impact on account security. Security commentators highlighted the storage of passwords in cleartext as a serious security failing that facilitated the actor's ability to exploit the data. No additional campaigns or malware families have been publicly attributed to Orion beyond this incident.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source