A latest assault the place a risk group calling itself “Holy Souls” accessed a database belonging to satirical French journal Charlie Hebdo and threatened to dox greater than 200,000 of its subscribers was the work of Iranian state-actor Neptunium, Microsoft mentioned on Feb. 3.
The assault seems to have been a response by the Iranian authorities to a cartoon contest that Charlie Hebdo introduced in December, the place the journal invited readers from around the globe to submit caricatures “ridiculing” Iran’s Supreme Leader Ali Khamenei. Results of the competition had been to be revealed on Jan. 7, the eighth anniversary of a lethal 2015 terror assault on Charlie Hebdo — in retaliation for publishing cartoons of Prophet Mohammed — that left 12 of its staffers useless.
Doxing Could Have Put Subscribers at Risk of Physical Targeting
Microsoft mentioned it decided Neptunium was answerable for the assault based mostly on artifacts and intelligence that researchers from its Digital Threat Analysis Center (DTAC) had collected. The information confirmed that Neptunium timed its assault to coincide with the Iranian authorities’s formal criticism of the cartoons, and its threats to retaliate in opposition to Charlie Hebdo for them in early January, Microsoft mentioned.
Following the assault, Neptunium introduced it had accessed private info belonging to some 230,000 Charlie Hebdo subscribers, together with their full names, cellphone numbers, postal addresses, e-mail addresses, and monetary info. The risk actor launched a small pattern of the info as proof of entry and provided the complete tranche to anyone keen to purchase it for 20 Bitcoin — or about $340,000 on the time, Microsoft mentioned.
“This info, obtained by the Iranian actor, may put the journal’s subscribers prone to on-line or bodily focusing on by extremist organizations,” the corporate assessed — a really actual concern on condition that Charlie Hebdo followers have been focused greater than as soon as outdoors of the 2015 incident.
Many of the actions that Neptunium took in executing the assault, and following it, had been according to techniques, strategies, and procedures (TTPs) that different Iranian state actors have employed when finishing up affect operations, Microsoft mentioned. This included using a hacktivist id (Holy Souls) in claiming credit score for the assault, the leaking of personal information, and using faux — or “sockpuppet” — social media personas to amplify information of the assault on Charlie Hebdo.
For occasion, following the assault, two social media accounts (one impersonating a senior French tech govt and the opposite an editor at Charlie Hebdo) started posting screenshots of the leaked info, Microsoft mentioned. The firm mentioned its researchers noticed different faux social media accounts tweeting information of the assault to media organizations, whereas others accused Charlie Hebdo of engaged on behalf of the French authorities.
Iranian Influence Operations: A Familiar Threat
Neptunium, which the US Department of Justice has been monitoring as “Emennet Pasargad,” is a risk actor related to a number of cyber-enabled affect operations in recent times. It is certainly one of many apparently state-backed risk actors figuring out of Iran which have closely focused US organizations in recent times.
Neptunium’s campaigns embody one the place the risk actor tried to affect the result of the US 2020 basic elections by, amongst different issues, stealing voter info, intimidating voters by way of e-mail, and distributing a video about nonexisting vulnerabilities in voting techniques. As a part of the marketing campaign, Neptunium actors masqueraded as members of the right-wing Proud Boys group, FBI’s investigation of the group confirmed. In addition to its Iran government-backed affect operations, Neptunium can also be related with extra conventional cyberattacks courting again to 2018 in opposition to information organizations, monetary firms, authorities networks, telecommunications corporations, and oil and petrochemical entities.
The FBI mentioned that Emennet Pasargad is definitely an Iran-based cybersecurity firm engaged on behalf of the federal government there. In November 2021, a US grand jury in New York indicted two of its staff on a wide range of prices, together with pc intrusion, fraud, and voter intimidation. The US authorities has provided $10 million as reward for info resulting in the seize and conviction of the 2 people.
Neptunium’s TTPs: Reconnaissance & Web Searches
The FBI has described the group’s MO as together with first-stage reconnaissance on potential targets by way of Web searches, after which utilizing the outcomes to scan for susceptible software program that the targets might be utilizing.
“In some cases, the target might have been to take advantage of numerous networks/web sites in a selected sector versus a particular group goal,” the FBI has famous. “In different conditions, Emennet would additionally try to determine internet hosting/shared internet hosting providers.”
The FBI’s evaluation of the group’s assaults reveals that it has particular curiosity in webpages operating PHP code, and externally accessible MySQL databases. Also of excessive curiosity to the group are WordPress plug-ins corresponding to revslider and layerslider, and web sites that run on Drupal, Apache Tomcat, Ckeditor, or Fckeditor, the FBI mentioned.
When making an attempt to interrupt right into a goal community, Neptunium first verifies if the group could be utilizing default passwords for particular functions, and it tries to determine admin or login pages.
“It must be assumed Emennet might try frequent plaintext passwords for any login websites they determine,” the FBI mentioned.