A recent attack where a threat group calling itself "Holy Souls" accessed a database belonging to satirical French magazine Charlie Hebdo and threatened to dox more than 200,000 of its subscribers was the work of Iranian state-actor Neptunium, Microsoft said on Feb. 3.
The attack appears to have been a response by the Iranian government to a cartoon contest that Charlie Hebdo announced in December, where the magazine invited readers from around the world to submit caricatures "ridiculing" Iran's Supreme Leader Ali Khamenei. Results of the contest were to be published on Jan. 7, the eighth anniversary of a deadly 2015 terror attack on Charlie Hebdo — in retaliation for publishing cartoons of Prophet Mohammed — that left 12 of its staffers dead.
Doxing Could Have Put Subscribers at Risk of Physical Targeting
Microsoft said it determined Neptunium was responsible for the attack based on artifacts and intelligence that researchers from its Digital Threat Analysis Center (DTAC) had collected. The data showed that Neptunium timed its attack to coincide with the Iranian government's formal criticism of the cartoons, and its threats to retaliate against Charlie Hebdo for them in early January, Microsoft said.
Following the attack, Neptunium announced it had accessed personal information belonging to some 230,000 Charlie Hebdo subscribers, including their full names, phone numbers, postal addresses, email addresses, and financial information. The threat actor released a small sample of the data as proof of access and offered the full tranche to anybody willing to buy it for 20 Bitcoin — or about $340,000 at the time, Microsoft said.
"This information, obtained by the Iranian actor, could put the magazine’s subscribers at risk of online or physical targeting by extremist organizations," the company assessed — a very real concern given that Charlie Hebdo fans have been targeted more than once outside of the 2015 incident.
Many of the actions that Neptunium took in executing the attack, and following it, were consistent with tactics, techniques, and procedures (TTPs) that other Iranian state actors have employed when carrying out influence operations, Microsoft said. This included the use of a hacktivist identity (Holy Souls) in claiming credit for the attack, the leaking of private data, and the use of fake — or "sockpuppet" — social media personas to amplify news of the attack on Charlie Hebdo.
For instance, following the attack, two social media accounts (one impersonating a senior French tech executive and the other an editor at Charlie Hebdo) began posting screenshots of the leaked information, Microsoft said. The company said its researchers observed other fake social media accounts tweeting news of the attack to media organizations, while others accused Charlie Hebdo of working on behalf of the French government.
Iranian Influence Operations: A Familiar Threat
Neptunium, which the US Department of Justice has been tracking as "Emennet Pasargad," is a threat actor associated with multiple cyber-enabled influence operations in recent years. It is one of many apparently state-backed threat actors working out of Iran that have heavily targeted US organizations in recent years.
Neptunium's campaigns include one where the threat actor attempted to influence the outcome of the US 2020 general elections by, among other things, stealing voter information, intimidating voters via email, and distributing a video about nonexisting vulnerabilities in voting systems. As part of the campaign, Neptunium actors masqueraded as members of the right-wing Proud Boys group, FBI's investigation of the group showed. In addition to its Iran government-backed influence operations, Neptunium is also associated with more traditional cyberattacks dating back to 2018 against news organizations, financial companies, government networks, telecommunications firms, and oil and petrochemical entities.
The FBI said that Emennet Pasargad is actually an Iran-based cybersecurity company working on behalf of the government there. In November 2021, a US grand jury in New York indicted two of its employees on a variety of charges, including computer intrusion, fraud, and voter intimidation. The US government has offered $10 million as reward for information leading to the capture and conviction of the two individuals.
Neptunium's TTPs: Reconnaissance & Web Searches
The FBI has described the group's MO as including first-stage reconnaissance on potential targets via Web searches, and then using the results to scan for vulnerable software that the targets could be using.
"In some instances, the objective may have been to exploit a large number of networks/websites in a particular sector as opposed to a specific organization target," the FBI has noted. "In other situations, Emennet would also attempt to identify hosting/shared hosting services."
The FBI's analysis of the group's attacks shows that it has specific interest in webpages running PHP code, and externally accessible MySQL databases. Also of high interest to the group are WordPress plug-ins such as revslider and layerslider, and websites that run on Drupal, Apache Tomcat, Ckeditor, or Fckeditor, the FBI said.
When attempting to break into a target network, Neptunium first verifies if the organization might be using default passwords for specific applications, and it tries to identify admin or login pages.
"It should be assumed Emennet may attempt common plaintext passwords for any login sites they identify," the FBI said.