An Iranian nation-state group sanctioned by the U.S. government has been attributed to the hack of the French satirical magazine Charlie Hebdo in early January 2023.
Microsoft, which disclosed details of the incident, is tracking the activity cluster under its chemical element-themed moniker NEPTUNIUM, which is an Iran-based company known as Emennet Pasargad.
In January 2022, the U.S. Federal Bureau of Investigation (FBI) tied the state-backed cyber unit to a sophisticated influence campaign carried out to interfere with the 2020 presidential elections. Two Iranian nationals have been indicted for their role in the disinformation and threat campaign.
Microsoft's disclosure comes after a "hacktivist" group named Holy Souls (now identified as NEPTUNIUM) claimed to be in possession of the personal information of more than 200,000 Charlie Hebdo customers, including their full names, telephone numbers, and home and email addresses.
The breach, which allowed NEPTUNIUM to gain access to an internal database, is suspected to have been orchestrated as a retaliation against the publication for conducting a cartoon contest "ridiculing" Iranian Supreme Leader Ali Khamenei.
The release of the full cache of stolen data, which was advertised for 20 Bitcoin, could lead to mass doxing and put its readership at risk of online or physical targeting by extremist organizations, Redmond further cautioned.
"After Holy Souls posted the sample data on YouTube and multiple hacker forums, the leak was amplified by a concerted operation across several social media platforms," the Windows maker's Digital Threat Analysis Center (DTAC) said.
"This amplification effort made use of a particular set of influence tactics, techniques, and procedures (TTPs) DTAC has witnessed before in Iranian hack-and-leak influence operations."
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
The points of similarity include the use of false-flag personas to conduct their hack-and-leak operations, inauthentic sockpuppet accounts, and the impersonation of authoritative sources, corroborating an October 2022 advisory from the FBI.
The goal, the FBI assessed, is to "undermine public confidence in the security of the victim's network and data, as well as embarrass victim companies and targeted countries."
"These hack-and-leak campaigns involve a combination of hacking / theft of data and information operations that impact victims via financial losses and reputational damage," the agency added.