Microsoft\u2019s Digital Threat Analysis Center (DTAC) has attributed a recent influence operation targeting the satirical French magazine Charlie Hebdo to an Iranian nation-state actor. Microsoft dubbed the threat group, which calls itself Holy Souls, NEPTUNIUM. It has also been identified as Emennet Pasargad by the US Department of Justice.In January, the group claimed to have obtained the personal information of more than 200,000 Charlie Hebdo customers after access to a database, which Microsoft believes was in response to a cartoon contest conducted by the magazine. The information included a spreadsheet detailing the full names, telephone numbers, and home and email addresses of accounts that had subscribed to, or purchased merchandise from, the publication.\u201cThis information, obtained by the Iranian actor, could put the magazine\u2019s subscribers at risk of online or physical targeting by extremist organizations,\u201d Microsoft\u2019s DTAC wrote. The announcement came in the same week as new research which revealed that most UK IT leaders believe that foreign states are using the ChatGPT chatbot maliciously to target other nations.Attack revenge for cartoon competition resembles other Iranian nation-state campaignsIn December last year, Charlie Hebdo launched an international competition for cartoons \u201cridiculing\u201d Iranian Supreme Leader Ali Khamenei, timed to coincide with the eighth anniversary of an attack by two al-Qa\u2019ida in the Arabian Peninsula (AQAP)-inspired assailants on the magazine\u2019s offices. The competition was publicly criticized by the Iranian Foreign Minister Hossein Amir-Abdollahian in January.NEPTUNIUM (Emennet Pasargad\/Holy Souls) advertised the cache of stolen data for sale for 20 Bitcoin (equal to roughly $340,000 at the time). Multiple elements of the attack resemble previous campaigns conducted by Iranian nation-state actors, Microsoft added, including:A hacktivist persona claiming credit for the cyberattackClaims of a successful website defacementLeaking of private data onlineThe use of inauthentic social media \u201csockpuppet\u201d personasImpersonation of authoritative sourcesContacting news media organizationsSockpuppet accounts impersonate French authority figures, taunt France\u2019s cybersecurity sectorThe use of numerous French-language sockpuppet accounts \u2013 social media accounts using fictitious or stolen identities to obfuscate the account\u2019s real owner for the purpose of deception \u2013 to amplify the campaign and distribute antagonistic messaging was of particular significance, Microsoft wrote. \u201cOn January 4, the accounts, many of which have low follower and following counts and were recently created, began posting criticisms of the Khamenei cartoons on Twitter. Crucially, before there had been any substantial reporting on the purported cyberattack, these accounts posted identical screenshots of a defaced website that included the French-language message: \u2018Charlie Hebdo a \u00e9t\u00e9 pirat\u00e9\u2019 (\u2018Charlie Hebdo was hacked\u2019).\u201dHours later, at least two social media accounts began impersonating French authority figures, while accounts also posted taunting messages including, \u201cFor me, the next subject of Charlie\u2019s cartoons should be French cybersecurity experts.\u201d The use of such sockpuppet accounts has been observed in previous Iran-linked operations including an attack claimed by Atlas Group, a partner of Hackers of Savior, which the FBI attributed to Iran in 2022. A key goal of Iranian influence operations is to \u201cundermine public confidence in the security of the victim\u2019s network and data, as well as embarrass victim companies and targeted countries,\u201d the FBI wrote in October 2022.