Microsoft attributes Charlie Hebdo data leak to Iran-linked NEPTUNIUM APT

Microsoft
attributes
a
recent
cyber
attack
against
the
satirical
French
magazine
Charlie
Hebdo
to
an
Iran-linked
NEPTUNIUM
APT
group. 

Microsoft’s
Digital
Threat
Analysis
Center
(DTAC)
attributes
a
recent
cyberattacks
against
the
satirical
French
magazine
Charlie
Hebdo
to
an
Iran-linked
threat
actor
tracked
as
NEPTUNIUM
(aka

Emennet
Pasargad,
Holy
Souls).
The
attack
is
a
retaliation
for
the
initiative
of
Charlie
Hebdo
of
launching
a
cartoon
contest
to
mock
Iran’s
ruling
cleric.

In
early
January,
the
threat
actor claimed to
have
hacked
the
database
of
the
magazine
and
obtained
the
personal
information
of
more
than
200,000
customers.
The
group released
a
sample
of
the
data
as
a
proof
of
the
hack,
exposed
data
include
the
full
names,
telephone
numbers,
and
home
and
email
addresses
of
accounts
that
had
subscribed
to,
or
purchased
merchandise
from,
Charlie
Hebdo.

This
data
leak
puts
subscribers
at
risk
of
online
or
physical
targeting
by
extremist
organizations.

“One
month
before
Holy
Souls
conducted
its
attack,
the
magazine announced it
would
be
holding
an
international
competition
for
cartoons
“ridiculing”
Iranian
Supreme
Leader
Ali
Khamenei.”
reads
the


post
published
by
Microsoft.
“The
issue
featuring
the
winning
cartoons
was
to
be
published
in
early
January,
timed
to
coincide
with
the eighth
anniversary of
an
attack
by
two
al-Qa’ida
in
the
Arabian
Peninsula
(AQAP)-inspired
assailants
on
the
magazine’s
offices.”

The
Holy
Souls
group
advertised
the
huge
trove
of
data
for
sale
for
20
BTC
(equal
to
roughly
$340,000
at
the
time). 

French
paper
of
record Le
Monde verified the
authenticity
of
data
for
multiple
victims
of
the
leak.

“The
insulting
and
discourteous
action
of
the
French
publication
[…]
against
the
religious
and
political-spiritual
authority
will
not
be
[…]
left
without
a
response.”
Iranian
Foreign
Minister
Hossein
Amir-Abdollahian tweeted
on
January
4.

Charlie
Hebdo
did
not
comment
on
the
Microsoft
findings.

“While
the
attribution
we’re
making
today
is
based
on
a
larger
set
of
intelligence
available
to
Microsoft’s
DTAC
team,
the
pattern
seen
here
is
typical
of
Iranian
state-sponsored
operations.
These
patterns
have
also
been
identified
by
the
FBI’s October
2022
Private
Industry
Notification
(PIN) as
being
used
by
Iran-linked
actors
to
run
cyber-enabled
influence
operations.”
concludes
Microsoft.
“The
campaign
targeting
Charlie
Hebdo
made
use
of
dozens
of
French-language
sockpuppet
accounts
to
amplify
the
campaign
and
distribute
antagonistic
messaging.”

Follow
me
on
Twitter:


@securityaffairs
and


Facebook
and


Mastodon

Pierluigi Paganini

(SecurityAffairs –

hacking,
Iran)

Share
On

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts