Cyber Threat Actor: Worm
| Actor Type | Location | Known Incidents |
Criminal
|
Russia
|
0 incidents |
|---|
Profile
W0rm is the alias used by a hacker who has claimed responsibility for several intrusions into high‑profile organizations. The actor first came to public attention in 2016 when they disclosed that they had gained access to Citrix’s content management system by using the weak credentials [email protected] and the password Citrix123, which granted them administrative functions including remote support. W0rm reported the vulnerability to Citrix and later discussed the finding on a personal blog and the antichat security forum, after which the Israeli firm CyberInt brought the issue to Citrix’s attention. In addition to the Citrix incident, W0rm has asserted responsibility for earlier intrusions into Adobe Systems, Bank of America and the BBC that occurred in late 2013, and has also claimed to have compromised the servers of the technology news site CNET by exploiting a vulnerability in its implementation of the Symfony PHP framework. The actor has described their motivation as altruistic, stating that they target prominent websites to raise awareness of security flaws and to make the Internet a safer place rather than for financial gain or copyright protection.
The tactics, techniques and procedures described in the open sources focus on the exploitation of weak or default credentials and the exploitation of known web‑application vulnerabilities. In the Citrix case, the actor used a simple username‑password combination to reach administrative panels, while the CNET intrusion involved locating and abusing a flaw in the Symfony framework that allowed unauthorized access to the underlying servers. Once inside, W0rm reportedly accessed administrative functions such as remote support tools and, in the CNET case, claimed the ability to upload malware to customer‑facing systems. No specific malware families, custom toolkits, or advanced persistence mechanisms are mentioned in the available sources, and there is no public attribution to a state‑sponsored group or a criminal syndicate; the actor’s statements emphasize a desire to highlight security shortcomings rather than to profit from the intrusions.
Among the publicly disclosed operations, the Citrix CMS breach stands out as a concrete example of credential‑guessing leading to administrative access, while the CNET breach illustrates the use of a framework‑level vulnerability to reach internal servers. W0rm’s claimed past successes against Adobe, Bank of America and the BBC are referenced in interviews and social‑media posts but are not detailed in the supplied articles. No official government or law‑enforcement attribution has been made, and the actor’s self‑described goal remains the promotion of better security practices through disclosure rather than monetary or espionage motives.
