Sanctioned Iranian hackers behind Charlie Hebdo breach, Microsoft says
An Iranian cybersecurity company sanctioned by the U.S. government for meddling in U.S. elections was responsible for stealing and attempting to sell subscriber data from the French satirical magazine Charlie Hebdo, Microsoft researchers said Friday.
The hackers, believed to be affiliated with the sanctioned Iranian cybersecurity company Emennet Pasargad, breached Charlie Hebdo’s systems after the publication announced in December a contest for caricatures of Supreme Leader Ayatollah Ali Khamenei, whom it described as a “symbol of backward-looking, narrow-minded, intolerant religious power.”
On January 4, a user identifying themselves as “Holy Souls” posted a notice to a popular hacking forum claiming that it had obtained the personal information of 230,000 Charlie Hebdo customers — including names, emails, phone numbers, addresses and financial information. The user claimed to have obtained an additional 250,000 other documents, including invoices, tax reports and “Classified documents.”
The user wanted 20 bitcoins — worth roughly $340,000 at the time — in exchange for the data. The user’s post included screenshots purporting to show the data, and the French newspaper Le Monde verified with several victims the veracity of the data contained in the sample.
In 2015, Islamic State militants attacked the offices of Charlie Hebdo, leaving 12 people dead. The magazine, with a long history of publishing inflammatory satire, landed in the crosshairs of extremist militants in large part due to its history of publishing cartoons of the Prophet Muhammad.
Microsoft researchers cautioned that the hack may put the magazine’s subscribers in danger. “The release of the full cache of stolen data — assuming the hackers actually have the data they claim to possess — would essentially constitute the mass doxing of the readership of a publication that has already been subject to extremist threats (2020) and deadly terror attacks (2015),” the researchers said.
In 2021, the U.S. government sanctioned Emennet Pasargad — a group Microsoft also tracks as “Neptunium” — along with several people working for the company for their role in a sprawling attempt to interfere in the 2020 U.S. presidential elections. U.S. prosecutors accused men linked to the company of sending Democratic voters emails purporting to be from the Proud Boys, as well as accessing confidential voter information in one state and attempting to access election sites in 11 states total.
Ahead of the 2022 midterm elections, the FBI issued a bulletin warning that Emennet Pasargad had been using false-flag campaigns under multiple personas” to target Israeli organizations with hack-and-leak campaigns and could use them against targets in the United States.
Microsoft researchers concluded that Emennet Pasargad was responsible for the breach “based on a larger set of intelligence” as well as an analysis of the open source technical, behavioral and contextual evidence.
Shortly after Holy Souls posted the leak it was amplified “by a concerted operation across several social media platforms,” the researchers said, which made use of a set of tactics previously witnessed in Iranian-aligned influence operations. Before the attack was widely a reported, a network of inauthentic sockpuppet accounts identical screenshots of a defaced Charlie Hebdo website.
