Microsoft attributes Charlie Hebdo data leak to Iran-linked NEPTUNIUM APT

Microsoft attributes a recent cyber attack against the satirical French magazine Charlie Hebdo to an Iran-linked NEPTUNIUM APT group.

Microsoft’s Digital Threat Analysis Center (DTAC) attributes a recent cyberattacks against the satirical French magazine Charlie Hebdo to an Iran-linked threat actor tracked as NEPTUNIUM (aka Emennet Pasargad, Holy Souls). The attack is a retaliation for the initiative of Charlie Hebdo of launching a cartoon contest to mock Iran’s ruling cleric.

In early January, the threat actor claimed to have hacked the database of the magazine and obtained the personal information of more than 200,000 customers. The group released a sample of the data as a proof of the hack, exposed data include the full names, telephone numbers, and home and email addresses of accounts that had subscribed to, or purchased merchandise from, Charlie Hebdo.

This data leak puts subscribers at risk of online or physical targeting by extremist organizations.

“One month before Holy Souls conducted its attack, the magazine announced it would be holding an international competition for cartoons “ridiculing” Iranian Supreme Leader Ali Khamenei.” reads the post published by Microsoft. “The issue featuring the winning cartoons was to be published in early January, timed to coincide with the eighth anniversary of an attack by two al-Qa’ida in the Arabian Peninsula (AQAP)-inspired assailants on the magazine’s offices.”

The Holy Souls group advertised the huge trove of data for sale for 20 BTC (equal to roughly $340,000 at the time).

French paper of record Le Monde verified the authenticity of data for multiple victims of the leak.

“The insulting and discourteous action of the French publication […] against the religious and political-spiritual authority will not be […] left without a response.” Iranian Foreign Minister Hossein Amir-Abdollahian tweeted on January 4.

Charlie Hebdo did not comment on the Microsoft findings.

“While the attribution we’re making today is based on a larger set of intelligence available to Microsoft’s DTAC team, the pattern seen here is typical of Iranian state-sponsored operations. These patterns have also been identified by the FBI’s October 2022 Private Industry Notification (PIN) as being used by Iran-linked actors to run cyber-enabled influence operations.” concludes Microsoft. “The campaign targeting Charlie Hebdo made use of dozens of French-language sockpuppet accounts to amplify the campaign and distribute antagonistic messaging.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.