{
	"id": "3dc8047d-3965-4417-b81d-04a06ca12a40",
	"created_at": "2026-04-06T00:12:48.842256Z",
	"updated_at": "2026-04-10T03:34:24.802704Z",
	"deleted_at": null,
	"sha1_hash": "1e9e659f6b3d031a4143059b662626597fecbc8b",
	"title": "Iran responsible for Charlie Hebdo attacks - Microsoft On the Issues",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 279163,
	"plain_text": "Iran responsible for Charlie Hebdo attacks - Microsoft On the\r\nIssues\r\nBy Clint Watts\r\nPublished: 2023-02-03 · Archived: 2026-04-05 14:48:08 UTC\r\nToday, Microsoft’s Digital Threat Analysis Center (DTAC) is attributing a recent influence operation targeting the\r\nsatirical French magazine Charlie Hebdo to an Iranian nation-state actor. Microsoft calls this actor NEPTUNIUM,\r\nwhich has also been identified by the U.S. Department of Justice as Emennet Pasargad.\r\nIn early January, a previously unheard-of online group calling itself “Holy Souls,” which we can now identify as\r\nNEPTUNIUM, claimed that it had obtained the personal information of more than 200,000 Charlie Hebdo\r\ncustomers after “gain[ing] access to a database.” As proof, Holy Souls released a sample of the data, which\r\nincluded a spreadsheet detailing the full names, telephone numbers, and home and email addresses of accounts\r\nthat had subscribed to, or purchased merchandise from, the publication. This information, obtained by the Iranian\r\nactor, could put the magazine’s subscribers at risk of online or physical targeting by extremist organizations.\r\nWe believe this attack is a response by the Iranian government to a cartoon contest conducted by Charlie Hebdo.\r\nOne month before Holy Souls conducted its attack, the magazine announced it would be holding an international\r\ncompetition for cartoons “ridiculing” Iranian Supreme Leader Ali Khamenei. The issue featuring the winning\r\ncartoons was to be published in early January, timed to coincide with the eighth anniversary of an attack by two\r\nal-Qa’ida in the Arabian Peninsula (AQAP)-inspired assailants on the magazine’s offices.\r\nHoly Souls advertised the cache of data for sale for 20 BTC (equal to roughly $340,000 at the time). The release\r\nof the full cache of stolen data – assuming the hackers actually have the data they claim to possess – would\r\nessentially constitute the mass doxing of the readership of a publication that has already been subject to extremist\r\nthreats (2020) and deadly terror attacks (2015). Lest the allegedly stolen customer data be dismissed as fabricated,\r\nFrench paper of record Le Monde was able to verify “with multiple victims of this leak” the veracity of the sample\r\ndocument published by Holy Souls.\r\nAfter Holy Souls posted the sample data on YouTube and multiple hacker forums, the leak was amplified by a\r\nconcerted operation across several social media platforms. This amplification effort made use of a particular set of\r\ninfluence tactics, techniques and procedures (TTPs) DTAC has witnessed before in Iranian hack-and-leak\r\ninfluence operations.\r\nThe attack coincided with criticism of the cartoons from the Iranian government. On January 4, Iranian Foreign\r\nMinister Hossein Amir-Abdollahian tweeted: “The insulting and discourteous action of the French publication\r\n[…] against the religious and political-spiritual authority will not be […] left without a response.” That same day,\r\nthe Iranian Foreign Ministry summoned the French Ambassador to Iran over Charlie Hebdo’s “insult.” On January\r\n5, Iran shuttered the French Institute for Research in Iran in what the Iranian Foreign Ministry described as a “first\r\nstep,” and said it would “seriously pursue the case and take the required measures.”\r\nhttps://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/\r\nPage 1 of 4\n\nThere are several elements of the attack that resemble previous attacks conducted by Iranian nation-state actors\r\nincluding:\r\nA hacktivist persona claiming credit for the cyberattack\r\nClaims of a successful website defacement\r\nLeaking of private data online\r\nThe use of inauthentic social media “sockpuppet” personas – social media accounts using fictitious or\r\nstolen identities to obfuscate the account’s real owner for the purpose of deception – claiming to be from\r\nthe country that the hack targeted to promote the cyberattack using language with errors obvious to native\r\nspeakers\r\nImpersonation of authoritative sources\r\nContacting news media organizations\r\nWhile the attribution we’re making today is based on a larger set of intelligence available to Microsoft’s DTAC\r\nteam, the pattern seen here is typical of Iranian state-sponsored operations. These patterns have also been\r\nidentified by the FBI’s October 2022 Private Industry Notification (PIN) as being used by Iran-linked actors to run\r\ncyber-enabled influence operations.\r\nThe campaign targeting Charlie Hebdo made use of dozens of French-language sockpuppet accounts to amplify\r\nthe campaign and distribute antagonistic messaging. On January 4, the accounts, many of which have low\r\nfollower and following counts and were recently created, began posting criticisms of the Khamenei cartoons on\r\nTwitter. Crucially, before there had been any substantial reporting on the purported cyberattack, these accounts\r\nposted identical screenshots of a defaced website that included the French-language message: “Charlie Hebdo a\r\nété piraté” (“Charlie Hebdo was hacked”).\r\nA few hours after the sockpuppets began tweeting, they were joined by at least two social media accounts\r\nimpersonating French authority figures – one imitating a tech executive and the other a Charlie Hebdo editor.\r\nThese accounts – both created in December 2022 and with low follower counts – then began posting screenshots\r\nof the leaked Charlie Hebdo customer data from Holy Souls. The accounts have since been suspended by Twitter.\r\nhttps://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/\r\nPage 2 of 4\n\nAn account impersonating a Charlie Hebdo editor, tweeting about the leaks\r\nThe use of such sockpuppet accounts has been observed in other Iran-linked operations including an attack\r\nclaimed by Atlas Group, a partner of Hackers of Savior, which was attributed by the FBI to Iran in 2022. During\r\nthe 2022 World Cup, Atlas Group claimed to have “penetrated into the infrasrtructures” [sic] and defaced an\r\nIsraeli sports website. On Twitter, Hebrew-language sockpuppet accounts and an impersonation of a sports\r\nreporter from a popular Israeli news channel amplified the attack. The fake reporter account posted that after\r\ntraveling to Qatar, he had concluded that Israelis should “not travel to Arab countries.”\r\nAlong with screenshots of the leaked data, the sockpuppet accounts posted taunting messages in French including:\r\n“For me, the next subject of Charlie’s cartoons should be French cybersecurity experts.” These same accounts\r\nwere also seen attempting to boost the news of the alleged hack by responding in tweets to publications and\r\njournalists, including Jordanian daily al-Dustour, Algeria’s Echorouk and Le Figaro reporter Georges Malbrunot.\r\nOther sockpuppet accounts claimed that Charlie Hebdo was working on behalf of the French government and said\r\nthat the latter was seeking to divert the public’s attention from labor stoppages.\r\nAccording to the FBI, one goal of Iranian influence operations is to “undermine public confidence in the security\r\nof the victim’s network and data, as well as embarrass victim companies and targeted countries.” Indeed, the\r\nmessaging in the attack targeting Charlie Hebdo resembles that of other Iran-linked campaigns, such as those\r\nclaimed by the Hackers of Savior, an Iran-affiliated persona that, in April 2022, claimed to infiltrate the cyber\r\ninfrastructure of major Israeli databases and published a message warning Israelis, “Do not trust to your\r\ngovernmental centers.”\r\nWhatever one may think of Charlie Hebdo’s editorial choices, the release of personally identifiable information\r\nabout tens of thousands of its customers constitutes a grave threat. This was underlined on January 10 in a warning\r\nof “revenge” against the publication from Iran’s Islamic Revolutionary Guard Corps commander Hossein Salami,\r\nwho pointed to the example of author Salman Rushdie, who was stabbed in 2022. Added Salami, “Rushdie won’t\r\nbe coming back.”\r\nThe attribution we’re making today is based upon the DTAC Framework for Attribution.\r\nMicrosoft invests in tracking and sharing information on nation-state influence operations so that customers and\r\ndemocracies around the world can protect themselves from attacks like the one against Charlie Hebdo. We will\r\ncontinue to release intelligence like this when we see similar operations from government and criminal groups\r\naround the world.\r\nhttps://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/\r\nPage 3 of 4\n\nInfluence Operation Attribution Matrix[1]\r\n[1] Adapted from Pamment, James, and Victoria Smith. “Attributing Information Influence Operations:\r\nIdentifying Those Responsible for Malicious Behaviour Online.” (2022). https://stratcomcoe.org/pdfjs/?\r\nfile=/publications/download/Nato-Attributing-Information-Influence-Operations-DIGITAL-v4.pdf\r\nTags: Charlie Hebdo, cyberattacks, cybersecurity, Digital Threat Analysis Center, DTAC, Microsoft Threat\r\nAnalysis Center\r\nSource: https://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/\r\nhttps://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MISPGALAXY"
	],
	"references": [
		"https://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/"
	],
	"report_names": [
		"dtac-charlie-hebdo-hack-iran-neptunium"
	],
	"threat_actors": [
		{
			"id": "07131850-5161-48b8-98be-6b0271d44d0e",
			"created_at": "2024-01-23T13:22:35.085803Z",
			"updated_at": "2026-04-10T02:00:03.521854Z",
			"deleted_at": null,
			"main_name": "Cotton Sandstorm",
			"aliases": [
				"Emennet Pasargad",
				"Holy Souls",
				"MARNANBRIDGE",
				"NEPTUNIUM",
				"HAYWIRE KITTEN"
			],
			"source_name": "MISPGALAXY:Cotton Sandstorm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434368,
	"ts_updated_at": 1775792064,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1e9e659f6b3d031a4143059b662626597fecbc8b.pdf",
		"text": "https://archive.orkl.eu/1e9e659f6b3d031a4143059b662626597fecbc8b.txt",
		"img": "https://archive.orkl.eu/1e9e659f6b3d031a4143059b662626597fecbc8b.jpg"
	}
}