cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Iranian threat actors responsible for recent Charlie Hebdo data breach

Earlier this month, the controversial French magazine Charlie Hebdo suffered a cyber attack that saw the personal data of more than 200,000 of its customers possibly exposed.

user icon David Hollingworth
Mon, 06 Feb 2023
Iranian threat actors responsible for recent Charlie Hebdo data breach
expand image

Late last week, Microsoft’s Digital Threat Analysis Centre attributed the attack to an “Iranian nation-state actor” that it called Neptunium but is otherwise known as Emennet Pasargad.

The group claimed responsibility for the attack under the name Holy Souls, which itself is a new appellation on a popular data breach site. As of 4 January, the group was offering the data for the price of 20 bitcoins and on offer were the names and addresses of 230,000 Charlie Hebdo customers, along with email addresses and financial information.

Alongside that data, Holy Souls claimed to have a further 250,000 documents including invoices and tax reports.


To prove the data was real, a sample was also posted and this has been independently verified by French paper Le Monde, which has spoken to some of the individuals on the sample list.

The attack followed a competition run by Charlie Hebdo that called for contestants to produce caricatures of Iran’s Supreme Leader and the nature of the attack itself, plus how it was followed up on social media, lead Microsoft’s DTAC to look to an Iranian-backed actor.

On the same day as the hack, Iran’s Foreign Ministry summoned the French ambassador to the country and closed down the French Institute for Research in Iran.

“The insulting and discourteous action of the French publication […] against the religious and political-spiritual authority will not be […] left without a response,” said Hossein Amir-Abdollahian, Iran’s Foreign Minister, in a tweet.

While the official responses were rolling out of Tehran, a number of social media accounts were sharing details of the attack and the sample list of data. The vast majority were newly created, with few followers and not many previous posts — fake sock puppets likely created for just this purpose.

Other accounts impersonated French officials and reporters, but deficiencies in language suggested Iranian operators were behind the posts. What’s more, many of these accounts were referring to the hack well before it was publicly reported.

“While the attribution we’re making today is based on a larger set of intelligence available to Microsoft’s DTAC team, the pattern seen here is typical of Iranian state-sponsored operations,” said Clint Watts, the general manager of DCAT, in a blog post.

“Whatever one may think of Charlie Hebdo’s editorial choices, the release of personally identifiable information about tens of thousands of its customers constitutes a grave threat.

“This was underlined on January 10 in a warning of ‘revenge’ against the publication from Iran’s Islamic Revolutionary Guard Corps commander Hossein Salami, who pointed to the example of author Salman Rushdie, who was stabbed in 2022.

“Added Salami, ‘Rushdie won’t be coming back.’”

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.