Microsoft attributes Charlie Hebdo data leak to Iran-linked NEPTUNIUM APT

Microsoft attributes a recent cyber attack against the satirical French magazine Charlie Hebdo to an Iran-linked NEPTUNIUM APT group.

Microsoft’s Digital Threat Analysis Center (DTAC) attributes a recent cyberattacks against the satirical French magazine Charlie Hebdo to an Iran-linked threat actor tracked as NEPTUNIUM (aka Emennet Pasargad, Holy Souls). The attack is a retaliation for the initiative of Charlie Hebdo of launching a cartoon contest to mock Iran’s ruling cleric.

In early January, the threat actor claimed to have hacked the database of the magazine and obtained the personal information of more than 200,000 customers. The group released a sample of the data as a proof of the hack, exposed data include the full names, telephone numbers, and home and email addresses of accounts that had subscribed to, or purchased merchandise from, Charlie Hebdo.

This data leak puts subscribers at risk of online or physical targeting by extremist organizations.

“One month before Holy Souls conducted its attack, the magazine announced it would be holding an international competition for cartoons “ridiculing” Iranian Supreme Leader Ali Khamenei.” reads the post published by Microsoft. “The issue featuring the winning cartoons was to be published in early January, timed to coincide with the eighth anniversary of an attack by two al-Qa’ida in the Arabian Peninsula (AQAP)-inspired assailants on the magazine’s offices.”

The Holy Souls group advertised the huge trove of data for sale for 20 BTC (equal to roughly $340,000 at the time). 

French paper of record Le Monde verified the authenticity of data for multiple victims of the leak.

“The insulting and discourteous action of the French publication […] against the religious and political-spiritual authority will not be […] left without a response.” Iranian Foreign Minister Hossein Amir-Abdollahian tweeted on January 4.

Charlie Hebdo did not comment on the Microsoft findings.

“While the attribution we’re making today is based on a larger set of intelligence available to Microsoft’s DTAC team, the pattern seen here is typical of Iranian state-sponsored operations. These patterns have also been identified by the FBI’s October 2022 Private Industry Notification (PIN) as being used by Iran-linked actors to run cyber-enabled influence operations.” concludes Microsoft. “The campaign targeting Charlie Hebdo made use of dozens of French-language sockpuppet accounts to amplify the campaign and distribute antagonistic messaging.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Iran)