A latest assault the place a menace group calling itself “Holy Souls” accessed a database belonging to satirical French journal Charlie Hebdo and threatened to dox greater than 200,000 of its subscribers was the work of Iranian state-actor Neptunium, Microsoft stated on Feb. 3.
The assault seems to have been a response by the Iranian authorities to a cartoon contest that Charlie Hebdo introduced in December, the place the journal invited readers from around the globe to submit caricatures “ridiculing” Iran’s Supreme Chief Ali Khamenei. Outcomes of the competition had been to be printed on Jan. 7, the eighth anniversary of a lethal 2015 terror assault on Charlie Hebdo — in retaliation for publishing cartoons of Prophet Mohammed — that left 12 of its staffers lifeless.
Doxing Might Have Put Subscribers at Threat of Bodily Concentrating on
Microsoft stated it decided Neptunium was answerable for the assault based mostly on artifacts and intelligence that researchers from its Digital Menace Evaluation Heart (DTAC) had collected. The info confirmed that Neptunium timed its assault to coincide with the Iranian authorities’s formal criticism of the cartoons, and its threats to retaliate in opposition to Charlie Hebdo for them in early January, Microsoft stated.
Following the assault, Neptunium introduced it had accessed private info belonging to some 230,000 Charlie Hebdo subscribers, together with their full names, telephone numbers, postal addresses, e-mail addresses, and monetary info. The menace actor launched a small pattern of the info as proof of entry and provided the total tranche to anyone keen to purchase it for 20 Bitcoin — or about $340,000 on the time, Microsoft stated.Â
“This info, obtained by the Iranian actor, might put the journal’s subscribers liable to on-line or bodily concentrating on by extremist organizations,” the corporate assessed — a really actual concern on condition that Charlie Hebdo followers have been focused greater than as soon as exterior of the 2015 incident.
Most of the actions that Neptunium took in executing the assault, and following it, had been in step with ways, methods, and procedures (TTPs) that different Iranian state actors have employed when finishing up affect operations, Microsoft stated. This included using a hacktivist identification (Holy Souls) in claiming credit score for the assault, the leaking of personal knowledge, and using pretend — or “sockpuppet” — social media personas to amplify information of the assault on Charlie Hebdo.
For example, following the assault, two social media accounts (one impersonating a senior French tech government and the opposite an editor at Charlie Hebdo) started posting screenshots of the leaked info, Microsoft stated. The corporate stated its researchers noticed different pretend social media accounts tweeting information of the assault to media organizations, whereas others accused Charlie Hebdo of engaged on behalf of the French authorities.
Iranian Affect Operations:Â A Acquainted Menace
Neptunium, which the US Division of Justice has been monitoring as “Emennet Pasargad,” is a menace actor related to a number of cyber-enabled affect operations lately. It’s certainly one of many apparently state-backed menace actors figuring out of Iran which have closely focused US organizations lately.
Neptunium’s campaigns embody one the place the menace actor tried to affect the end result of the US 2020 normal elections by, amongst different issues, stealing voter info, intimidating voters through e-mail, and distributing a video about nonexisting vulnerabilities in voting techniques. As a part of the marketing campaign, Neptunium actors masqueraded as members of the right-wing Proud Boys group, FBI’s investigation of the group confirmed. Along with its Iran government-backed affect operations, Neptunium can be related with extra conventional cyberattacks relationship again to 2018 in opposition to information organizations, monetary corporations, authorities networks, telecommunications companies, and oil and petrochemical entities.
The FBI stated that Emennet Pasargad is definitely an Iran-based cybersecurity firm engaged on behalf of the federal government there. In November 2021, a US grand jury in New York indicted two of its staff on quite a lot of fees, together with laptop intrusion, fraud, and voter intimidation. The US authorities has provided $10 million as reward for info resulting in the seize and conviction of the 2 people.
Neptunium’s TTPs: Reconnaissance & Net Searches
The FBI has described the group’s MOÂ as together with first-stage reconnaissance on potential targets through Net searches, after which utilizing the outcomes to scan for susceptible software program that the targets could possibly be utilizing.Â
“In some cases, the target could have been to take advantage of a lot of networks/web sites in a specific sector versus a particular group goal,” the FBI has famous. “In different conditions, Emennet would additionally try to determine internet hosting/shared internet hosting providers.”
The FBI’s evaluation of the group’s assaults reveals that it has particular curiosity in webpages operating PHP code, and externally accessible MySQL databases. Additionally of excessive curiosity to the group are WordPress plug-ins reminiscent of revslider and layerslider, and web sites that run on Drupal, Apache Tomcat, Ckeditor, or Fckeditor, the FBI stated.Â
When making an attempt to interrupt right into a goal community, Neptunium first verifies if the group could be utilizing default passwords for particular purposes, and it tries to determine admin or login pages.Â
“It ought to be assumed Emennet could try frequent plaintext passwords for any login websites they determine,” the FBI stated.