Microsoft believes the gang who boasted it had stolen and leaked more than 200,000 Charlie Hebdo subscribers’ personal information is none other than a Tehran-backed gang.
On Friday, Redmond’s Digital Threat Analysis Center (DTAC) attributed the cyber-heist to Iran’s Neptunium, which the US Department of Justice tracks as Emennet Pasargad.
The stolen data, which included names, phone numbers and addresses, “could put the magazine’s subscribers at risk of online or physical targeting by extremist organizations,” said Clint Watts, general manager of DTAC.
“We believe this attack is a response by the Iranian government to a cartoon contest conducted by Charlie Hebdo.”
In December, the satirical French magazine announced a competition for cartoons “ridiculing” Iranian Supreme Leader Ali Khamenei. The winning cartoons would then be published in the mag in early January — marking the eight-year anniversary of the mass shooting inside Charlie Hebdo’s Paris office by two Muslim terrorist brothers that left 12 people dead and 11 others injured.
On January 4, a previously unknown cyber-crime group that called itself Holy Souls claimed to have stolen a Charlie Hebdo database containing 230,000 customers’ names, email addresses, phone numbers, addresses, and financial information, and offered it for sale for about $340,000.
Holy Souls is, in fact, Neptunium, aka Emennet Pasargad, according to Microsoft. This is the same Iranian gang that harassed US voters and launched disinformation campaigns during the 2020 presidential election.
In late October, the FBI issued a warning about this group, which the Feds said is known for using hack-and-leak operations against victims as well as false-flag personas to shift blame elsewhere.
And now, under the guise of Holy Souls, the Iranian government-backed group was up to their same old TTPs.
After claiming to steal the Charlie Hebdo database, the miscreants then released a sample of the data on YouTube, which Le Monde later verified as legitimate.
“The release of the full cache of stolen data – assuming the hackers actually have the data they claim to possess – would essentially constitute the mass doxing of the readership of a publication that has already been subject to extremist threats (2020) and deadly terror attacks (2015),” Watts wrote.
Next up: the influence operation part of Neptunium’s shtick.
As with its previous attacks, the crew used phony social media accounts — including some that claimed to be French authority figures — and contacted news organizations in an attempt to amplify their disinformation campaign.
The miscreants used “dozens” of French-language sockpuppet accounts to criticize Charlie Hebdo and the Khamenei cartoons on Twitter.
“Crucially, before there had been any substantial reporting on the purported cyberattack, these accounts posted identical screenshots of a defaced website that included the French-language message: ‘Charlie Hebdo a été piraté’ (‘Charlie Hebdo was hacked’),” Watts said.
Most of these sockpuppet accounts were created on January 4. Within a few hours of their tweets, Microsoft documented at least two others, one purporting to be a French tech exec and the other a Charlie Hebdo editor, that began posting screenshots of the data dump. Twitter has since suspended both accounts. ®