Microsoft: Iranian Nation-State Group Sanctioned by U.S. Behind Charlie Hebdo Hack
An Iranian nation-state group sanctioned by the U.S. government has been attributed to the hack of the French satirical magazine Charlie Hebdo in early January 2023.
Microsoft, which disclosed details of the incident, is tracking the activity cluster under its chemical element-themed moniker NEPTUNIUM, which is an Iran-based company known as Emennet Pasargad.
In January 2022, the U.S. Federal Bureau of Investigation (FBI) tied the state-backed cyber unit to a sophisticated influence campaign carried out to interfere with the 2020 presidential elections. Two Iranian nationals have been accused for their role in the disinformation and threat campaign.
Microsoft’s disclosure comes after a “hacktivist” group named Holy Souls (now identified as NEPTUNIUM) claimed to be in possession of the personal information of more than 200,000 Charlie Hebdo customers, including their full names, telephone numbers, and home and email addresses.
The breach, which allowed NEPTUNIUM to gain access to an internal database, is suspected to have been orchestrated as a retaliation against the publication for conducting a cartoon contest “ridiculing” Iranian Supreme Leader Ali Khamenei.
The release of the full cache of stolen data could lead to mass doxing, Redmond further cautioned.
“After Holy Souls posted the sample data on YouTube and multiple hacker forums, the leak was amplified by a concerted operation across several social media platforms,” the Windows maker’s Digital Threat Analysis Center (DTAC) said.
“This amplification effort made use of a particular set of influence tactics, techniques, and procedures (TTPs) DTAC has witnessed before in Iranian hack-and-leak influence operations.”
The points of similarity include the use of false-flag personas to conduct their hack-and-leak operations, inauthentic sockpuppet accounts, and the impersonation of authoritative sources, corroborating an October 2022 advisory from the FBI.
The goal, the FBI assessed, is to “undermine public confidence in the security of the victim’s network and data, as well as embarrass victim companies and targeted countries.”
“These hack-and-leak campaigns involve a combination of hacking / theft of data and information operations that impact victims via financial losses and reputational damage,” the agency added.