Cyber Incident Victim: Charlie Hebdo
Date:
Jan 2023
Location:
France
Summary
A cyberattack attributed to the Iranian state-linked actor NEPTUNIUM (also known as Emennet Pasargad) targeted the French satirical magazine Charlie Hebdo, compromising its online store and leaking personal data of over 200,000 subscribers, including names, contact details, and addresses. The attackers, operating under the "Holy Souls" persona, advertised the stolen data for sale and amplified the breach using fabricated French-language social media accounts impersonating local authorities and journalists. The incident followed the publication's announcement of a cartoon contest mocking Iran's Supreme Leader, prompting threats from Iranian officials and retaliatory diplomatic actions against France. French authorities opened an investigation into unauthorized system access, data extraction, and obstruction of operations. Microsoft's Digital Threat Analysis Center linked the operation to Iranian influence tactics, including hack-and-leak campaigns and coordinated disinformation efforts to undermine confidence in the victim's security.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On January 4, 2023, the website of French satirical magazine Charlie Hebdo was targeted in a cyberattack affecting its online store and homepage. A previously unknown group calling itself "Holy Souls" claimed responsibility, asserting it had compromised a database containing personal information of over 200,000 subscribers and customers. The group released a sample dataset containing full names, telephone numbers, email addresses, and physical addresses of individuals who had purchased merchandise or subscriptions. Holy Souls offered the complete dataset for sale at 20 Bitcoin (approximately $340,000) and disseminated the sample through YouTube and hacker forums. French newspaper Le Monde verified the authenticity of the leaked sample by confirming details with multiple affected individuals. The attack coincided with Charlie Hebdo's publication of cartoons ridiculing Iranian Supreme Leader Ali Khamenei, part of an international contest announced one month prior and timed to mark the eighth anniversary of the 2015 terrorist attack on the magazine's offices.
The Iranian government publicly condemned the cartoons, with Foreign Minister Hossein Amir-Abdollahian tweeting on January 4 that the "insulting action" would not go unanswered. Iran summoned the French ambassador that day and closed the French Institute for Research in Iran on January 5, calling it a "first step" in retaliation. Microsoft's Digital Threat Analysis Center (DTAC) attributed the cyberattack to Iranian state-sponsored actor NEPTUNIUM, identified by the U.S. Department of Justice as Emennet Pasargad. DTAC documented a coordinated amplification campaign using dozens of French-language social media sockpuppet accounts created in December 2022, which posted identical screenshots of the defaced Charlie Hebdo website before mainstream media reported the breach. These accounts were joined by impersonator profiles posing as a French tech executive and a Charlie Hebdo editor, which shared screenshots of stolen customer data. Twitter suspended the fraudulent accounts. The Paris prosecutor's office opened an investigation on January 5 for unauthorized system access, data extraction, and system interference, assigning the case to cybersecurity units involving the DGSI (Domestic Intelligence) and the Office for Combating Cybercrime. Although Charlie Hebdo's editorial content remained accessible post-attack, its online store displayed error messages. On January 10, Islamic Revolutionary Guard Corps commander Hossein Salami issued a "revenge" warning against the magazine, referencing the 2022 attack on author Salman Rushdie. Microsoft and the FBI linked the operation's tactics—including hacktivist personas, data leaks, and inauthentic amplification—to prior Iranian campaigns such as the 2022 Atlas Group attack on an Israeli sports website during the World Cup.