A
recent
attack
where
a
threat
group
calling
itself
“Holy
Souls”
accessed
a
database
belonging
to
satirical
French
magazine
Charlie
Hebdo
and
threatened
to
dox
more
than
200,000
of
its
subscribers
was
the
work
of
Iranian
state-actor
Neptunium,
Microsoft
said
on
Feb.
3.
The
attack
appears
to
have
been
a
response
by
the
Iranian
government
to
a
cartoon
contest
that
Charlie
Hebdo
announced
in
December,
where
the
magazine
invited
readers
from
around
the
world
to
submit
caricatures
“ridiculing”
Iran’s
Supreme
Leader
Ali
Khamenei.
Results
of
the
contest
were
to
be
published
on
Jan.
7,
the
eighth
anniversary
of
a
deadly
2015
terror
attack
on
Charlie
Hebdo
—
in
retaliation
for
publishing
cartoons
of
Prophet
Mohammed
—
that
left
12
of
its
staffers
dead.
Doxing
Could
Have
Put
Subscribers
at
Risk
of
Physical
Targeting
Microsoft
said
it
determined
Neptunium
was
responsible
for
the
attack
based
on
artifacts
and
intelligence
that
researchers
from
its
Digital
Threat
Analysis
Center
(DTAC)
had
collected.
The
data
showed
that
Neptunium
timed
its
attack
to
coincide
with
the
Iranian
government’s
formal
criticism
of
the
cartoons,
and
its
threats
to
retaliate
against
Charlie
Hebdo
for
them
in
early
January,
Microsoft
said.
Following
the
attack,
Neptunium
announced
it
had
accessed
personal
information
belonging
to
some
230,000
Charlie
Hebdo
subscribers,
including
their
full
names,
phone
numbers,
postal
addresses,
email
addresses,
and
financial
information.
The
threat
actor
released
a
small
sample
of
the
data
as
proof
of
access
and
offered
the
full
tranche
to
anybody
willing
to
buy
it
for
20
Bitcoin
—
or
about
$340,000
at
the
time,
Microsoft
said.
“This
information,
obtained
by
the
Iranian
actor,
could
put
the
magazine’s
subscribers
at
risk
of
online
or
physical
targeting
by
extremist
organizations,”
the
company
assessed
—
a
very
real
concern
given
that
Charlie
Hebdo
fans
have
been
targeted
more
than
once
outside
of
the
2015
incident.
Many
of
the
actions
that
Neptunium
took
in
executing
the
attack,
and
following
it,
were
consistent
with
tactics,
techniques,
and
procedures
(TTPs)
that
other
Iranian
state
actors
have
employed
when
carrying
out
influence
operations,
Microsoft
said.
This
included
the
use
of
a
hacktivist
identity
(Holy
Souls)
in
claiming
credit
for
the
attack,
the
leaking
of
private
data,
and
the
use
of
fake
—
or
“sockpuppet”
—
social
media
personas
to
amplify
news
of
the
attack
on
Charlie
Hebdo.
For
instance,
following
the
attack,
two
social
media
accounts
(one
impersonating
a
senior
French
tech
executive
and
the
other
an
editor
at
Charlie
Hebdo)
began
posting
screenshots
of
the
leaked
information,
Microsoft
said.
The
company
said
its
researchers
observed
other
fake
social
media
accounts
tweeting
news
of
the
attack
to
media
organizations,
while
others
accused
Charlie
Hebdo
of
working
on
behalf
of
the
French
government.
Iranian
Influence
Operations: A
Familiar
Threat
Neptunium,
which
the
US
Department
of
Justice
has
been
tracking
as
“Emennet
Pasargad,”
is
a
threat
actor
associated
with
multiple
cyber-enabled
influence
operations
in
recent
years.
It
is
one
of
many
apparently
state-backed
threat
actors
working
out
of
Iran
that
have
heavily
targeted
US
organizations
in
recent
years.
Neptunium’s
campaigns
include
one
where
the
threat
actor
attempted
to
influence
the
outcome
of
the
US
2020
general
elections
by,
among
other
things,
stealing
voter
information,
intimidating
voters
via
email,
and
distributing
a
video
about
nonexisting
vulnerabilities
in
voting
systems.
As
part
of
the
campaign,
Neptunium
actors
masqueraded
as
members
of
the
right-wing
Proud
Boys
group,
FBI’s
investigation
of
the
group
showed.
In
addition
to
its
Iran
government-backed
influence
operations,
Neptunium
is
also
associated
with
more
traditional
cyberattacks
dating
back
to
2018
against
news
organizations,
financial
companies,
government
networks,
telecommunications
firms,
and
oil
and
petrochemical
entities.
The
FBI
said
that
Emennet
Pasargad
is
actually
an
Iran-based
cybersecurity
company
working
on
behalf
of
the
government
there.
In
November
2021,
a
US
grand
jury
in
New
York
indicted
two
of
its
employees
on
a
variety
of
charges,
including
computer
intrusion,
fraud,
and
voter
intimidation.
The
US
government
has
offered
$10
million
as
reward
for
information
leading
to
the
capture
and
conviction
of
the
two
individuals.
Neptunium’s
TTPs:
Reconnaissance
&
Web
Searches
The
FBI
has
described
the
group’s
MO as
including
first-stage
reconnaissance
on
potential
targets
via
Web
searches,
and
then
using
the
results
to
scan
for
vulnerable
software
that
the
targets
could
be
using.
“In
some
instances,
the
objective
may
have
been
to
exploit
a
large
number
of
networks/websites
in
a
particular
sector
as
opposed
to
a
specific
organization
target,”
the
FBI
has
noted.
“In
other
situations,
Emennet
would
also
attempt
to
identify
hosting/shared
hosting
services.”
The
FBI’s
analysis
of
the
group’s
attacks
shows
that
it
has
specific
interest
in
webpages
running
PHP
code,
and
externally
accessible
MySQL
databases.
Also
of
high
interest
to
the
group
are
WordPress
plug-ins
such
as
revslider
and
layerslider,
and
websites
that
run
on
Drupal,
Apache
Tomcat,
Ckeditor,
or
Fckeditor,
the
FBI
said.
When
attempting
to
break
into
a
target
network,
Neptunium
first
verifies
if
the
organization
might
be
using
default
passwords
for
specific
applications,
and
it
tries
to
identify
admin
or
login
pages.
“It
should
be
assumed
Emennet
may
attempt
common
plaintext
passwords
for
any
login
sites
they
identify,”
the
FBI
said.
About Author
