Microsoft’s Digital Threat Analysis Center (DTAC) has attributed a recent influence operation targeting the satirical French magazine Charlie Hebdo to an Iranian nation-state actor. Microsoft dubbed the threat group, which calls itself Holy Souls, NEPTUNIUM. It has also been identified as Emennet Pasargad by the US Department of Justice.

In January, the group claimed to have obtained the personal information of more than 200,000 Charlie Hebdo customers after access to a database, which Microsoft believes was in response to a cartoon contest conducted by the magazine. The information included a spreadsheet detailing the full names, telephone numbers, and home and email addresses of accounts that had subscribed to, or purchased merchandise from, the publication.

“This information, obtained by the Iranian actor, could put the magazine’s subscribers at risk of online or physical targeting by extremist organizations,” Microsoft’s DTAC wrote. The announcement came in the same week as new research which revealed that most UK IT leaders believe that foreign states are using the ChatGPT chatbot maliciously to target other nations.

Attack revenge for cartoon competition resembles other Iranian nation-state campaigns

In December last year, Charlie Hebdo launched an international competition for cartoons “ridiculing” Iranian Supreme Leader Ali Khamenei, timed to coincide with the eighth anniversary of an attack by two al-Qa’ida in the Arabian Peninsula (AQAP)-inspired assailants on the magazine’s offices. The competition was publicly criticized by the Iranian Foreign Minister Hossein Amir-Abdollahian in January.

NEPTUNIUM (Emennet Pasargad/Holy Souls) advertised the cache of stolen data for sale for 20 Bitcoin (equal to roughly $340,000 at the time). Multiple elements of the attack resemble previous campaigns conducted by Iranian nation-state actors, Microsoft added, including:

• A hacktivist persona claiming credit for the cyberattack
• Claims of a successful website defacement
• Leaking of private data online
• The use of inauthentic social media “sockpuppet” personas
• Impersonation of authoritative sources
• Contacting news media organizations

Sockpuppet accounts impersonate French authority figures, taunt France’s cybersecurity sector

The use of numerous French-language sockpuppet accounts – social media accounts using fictitious or stolen identities to obfuscate the account’s real owner for the purpose of deception – to amplify the campaign and distribute antagonistic messaging was of particular significance, Microsoft wrote. “On January 4, the accounts, many of which have low follower and following counts and were recently created, began posting criticisms of the Khamenei cartoons on Twitter. Crucially, before there had been any substantial reporting on the purported cyberattack, these accounts posted identical screenshots of a defaced website that included the French-language message: ‘Charlie Hebdo a été piraté’ (‘Charlie Hebdo was hacked’).”

Hours later, at least two social media accounts began impersonating French authority figures, while accounts also posted taunting messages including, “For me, the next subject of Charlie’s cartoons should be French cybersecurity experts.” The use of such sockpuppet accounts has been observed in previous Iran-linked operations including an attack claimed by Atlas Group, a partner of Hackers of Savior, which the FBI attributed to Iran in 2022. A key goal of Iranian influence operations is to “undermine public confidence in the security of the victim’s network and data, as well as embarrass victim companies and targeted countries,” the FBI wrote in October 2022.