Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op


After the French satirical magazine Charlie Hebdo launched a cartoon contest to mock Iran’s ruling cleric, a state-backed Iranian cyber unit struck back with a hack-and-leak campaign that was designed to provoke fear with the claimed pilfering of a big subscriber database, Microsoft security researchers say.

The FBI blames the same Iranian cyber operators, Emennet Pasargad, for an influence operation that sought to interfere in the 2020 U.S. presidential election, the tech giant said in a blog published Friday. Iran has in recent years stepped up false-flag cyber operations as a tool for discrediting foes.

Calling itself “Holy Souls” and posing as hacktivists, the group claimed in early January to have obtained personal information on 200,000 subscribers and Charlie Hebdo merchandise buyers, according to Microsoft’s Digital Threat Analysis Center.

As proof of the data theft, “Holy Souls” released a 200-record sample with names, phone numbers and home and email addresses of Charlie Hebdo subscribers that “could put the magazine’s subscribers at risk for online or physical targeting” by extremists. The group then advertised the supposed complete data cache on several dark web sites for $340,000.

Microsoft said it did not know whether anyone purchased the cache.

A representative for Charlie Hebdo said Friday that the newspaper would not comment on the Microsoft research. Iran’s mission to the United Nations did not immediately respond to a request for comment Friday.

The Jan. 4 sample release coincided with the publication of Charlie Hebdo’s cartoon contest issue. Entrants were asked to draw offensive caricatures of Iran’s supreme leader, Ayatollah Ali Khamenei.

The French newspaper Le Monde verified multiple victims of the leak from the sample, Microsoft said. The Iranian cyber operators sought to boost news of the hack-and-leak operation — and fuel outrage at the cartoon edition — through fake French “sock-puppet” accounts on social media platforms that included Twitter, Microsoft said.

The operation coincided with verbal attacks by Tehran condemning Charlie Hebdo’s “insult.”

The provocatively irreverent magazine has a long history of publishing vulgar cartoons which critics consider deeply insulting to Muslims. Two French-born al-Qaida extremists attacked the newspaper’s office in 2015, killing 12 cartoonists, and it Charlie Hebdo has been the target of other attacks over the years.

The magazine billed the Khamenei caricature contest as a show of support for nationwide antigovernment protests that have convulsed Iran since the mid-September death of Mahsa Amini, a 22-year-old woman detained by Iran’s morality police for allegedly violating the country’s strict Islamic dress code.

After the cartoon issue was published, Iran shut down a decades-old French research institute. Last week, it announced sanctions targeting more than 30 European individuals and entities, including three senior Charlie Hebdo staffers. The sanctions are largely symbolic as they bar travel to Iran and allow its authorities to block bank accounts and confiscate property in Iran.

The post Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op appeared first on SecurityWeek.

Cyber Insights 2023: The Geopolitical Effect


About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.

Cyber Insights | 2023

SecurityWeek Cyber Insights 2023 | The Geopolitical Effect – Geopolitics describes the effect of geography on politics, and usually refers to the political relationship between nations. That relationship is always mirrored in cyber. The Russia/Ukraine war that started in early 2022 has been mirrored by a major disturbance in cyber – and that disturbance will continue through 2023.

The physical conflict has forced much of the world to take sides. The US, NATO, the EU, and their allies are providing major support – short of troops – to Ukraine. China, Iran, and North Korea are all supporting Russia. The cyber conflict is similar, largely conforming to the George W Bush ‘axis of evil’ (Iran, Iraq, and North Korea, with the popular addition of Russia and China) versus the US, EU, and their allies.

Here we’re going to discuss how the current state of global geopolitics might play out in cyber during 2023.


“Russia may well resort to increased cyber offensive actions as it contends with on-the-ground setbacks in Ukraine,” comments Bob Ackerman, MD and founder of AllegisCyber. This has been considered likely throughout 2022, but as Russian military setbacks have increased toward the end of 2022, so the likelihood of increasingly aggressive Russian cyber activity will rise. Such offensive actions will not simply target Ukraine – they will be aimed at all countries seen to be supporting Ukraine.

“While we haven’t seen those feared attacks materialize yet,” says Christopher Budd, senior manager of threat research at Sophos, “it would be premature to say that those risks have passed. In 2023, so long as the uncertainty of war exists, everyone should plan for the real possibility of unexpected, large-scale cyberattacks.”

Indeed, the mirror between the kinetic and cyberworlds suggests it is inevitable in 2023. Kevin Bocek, VP of security strategy and threat intelligence at Venafi, expects to see Russian cyber activity becoming more ‘feral’. “We’re increasingly seeing its kinetic war tactics becoming more untamed, targeting energy and water infrastructure with missile strikes,” he says. “We expect the same to apply to cyberwarfare.”

He is concerned that Russia’s more feral activity will have the potential to spill over into other nations, “as Russia becomes more daring, trying to win the war by any means, and Russia could look to use the conflict as a distraction as it targets other nations with cyberattacks.”

Malwarebytes believes that large-scale attacks will appear first in Ukraine, but be accompanied by attacks against European allies. “In recent weeks [Oct/Nov 2022] Russia has been launching a barrage of missiles to cripple Ukraine’s electricity infrastructure. We could expect that at some point availability of such weapons will run low and that the Kremlin will want to increase the cyber effort. We may see further successful malware attacks from the Sandworm group as we have seen previously with the blackouts caused by the BlackEnergy malware,” comments Jerome Segura, senior director of threat intelligence at Malwarebytes.

While malware used to destroy or wipe systems is likely to be used against Ukraine,” he adds, “more stealthy malware such as backdoors are likely to hit European allies as attempts to compromise key leaders, gather intelligence and possibly expose or extort via ‘kompromat’.”

In one sense, the Russia/Ukraine conflict has taken the gloves off the lower-level cyberwarfare that has existed for years. You could say that 2023 may well prove to be a new era of bare-knuckle cyberwarfare. “Nation state cyber warfare will become more openly prevalent,” suggests Chris Gray, AVP of security strategy at Deepwatch. “The Russia/Ukraine conflict has taken away much of the ‘cloak and dagger’ aspects of this area and, in doing so, has also broadened the scope of available targets. Financial impact and the ability to increase chaos due to service interruption will increasingly grow over former levels.”

While we concentrate on Russia as the primary current protagonist in offensive cyber, we should not forget that Russian ‘allies’ will take advantage of the situation. “China is likely to expand the full spectrum of its cyber initiatives targeting economic, political, and military objectives,” continues Ackerman. “Bit actors on the global stage may well exploit Great Power conflict and related global distractions to launch targeted regional cyberattacks,” he added. Such as Iran targeting Israel.

Difficulty in attribution will remain

Increased nation-state cyber activity will become more obvious, but not necessarily legally attributable. The major powers will still seek to avoid direct retribution that could escalate into additional kinetic warfare. “The reality with nation-state attacks is you might never know you’ve been hit by one until another country’s intelligence agency actively identifies it,” warns Andrew Barratt, VP at Coalfire. “The attribution of attacks to specific parties is a highly contentious area with a lot of room for error and deniability. What we really need is crossover from friendly military intelligence partners to support a reasonable conclusion.”

SecurityWeek was told years ago by Luis Corrons, now security evangelist at Gen and co-chairman of the board at AMTSO, “The only people who really know what’s going on are the intelligence agencies, who have close knowledge drawn from signals intelligence and covert agents.” Historically, the intelligence agencies have been reluctant to make too many public accusations of attribution for fear that it might expose their sources.

Marcus Fowler, Darktrace
Marcus Fowler

Direct attribution from countries with mature intelligence agencies is likely to increase in 2023 – as will the strident denials coming from the perpetrators – but it will remain difficult. “The rapid expansion of non-state affiliated cyber actors including hobbyists, hacktivists, criminals, privateers, proxies, vigilantes, or cyber response reserve units, is unlike anything ever seen in traditional warfare,” explains Marcus Fowler, CEO of Darktrace Federal. “The surge in ‘vigilante’ approaches to cyber-crime will continue to alter the course of modern warfare in 2023, introducing unprecedented adversaries and allies for nation-states.”

Zero-day stockpiles

What remains largely unknown is the potential capability of unfettered cyberwarfare – all major nations have been stockpiling zero-days for years. “I dare not speak of the unused kinetic powers available to the nation-states,” comments Brian NeuHaus, CTO of Americas at Vectra AI, “but will digress to one which has only, I believe, been partially used. Cyberwarfare is still a real threat from a broader use of known TTPs, tools tactics procedures, and an unknown equity of zero-days just waiting for the right strategic moment to deploy against one’s foes.” 

Zero-days are not used lightly, especially by nation-states. Once used, they instantly lose their value. The problem is that we have no knowledge of our adversaries’ zero-day stockpiles, nor their ability to unleash widespread destructive capabilities against critical infrastructure. Their use is likely to be one of desperation – a cyber version of nuclear weapons with the potential to escalate into open kinetic conflict. 

We must hope this day never comes, for it is worth remembering Putin’s warning on the use of nuclear weapons: “For the planet, it will be a catastrophe. But for me as a citizen of the Russian Federation and the head of the Russian State, I must ask myself the question. What is the point of a world without Russia?”

Wiperware and other destructive attacks

Our hope must therefore be that no nation-state feels so backed into a corner that it unleashes the full power of stockpiled zero-days against the opponent’s critical infrastructure. That doesn’t mean we can relax – the threat from what we could perhaps describe as conventional cyberweapons remains real and likely to increase through 2023. Wiperware is probably top of the list.

Fleming Shi

“Russia’s invasion of Ukraine this year revealed the modern digital battlefield. Most notably, we have witnessed an increased use of wiperware, a form of destructive malware against Ukrainian organizations and critical infrastructure,” comments Fleming Shi, CTO at Barracuda. “The frequency has dramatically increased as we saw WhisperGate, CaddyWiper, HermeticWiper, and others hitting the news since the war broke out.” 

Unlike the financial motivations and decryption potential of ransomware, wiperware is typically deployed by nation-state actors with the sole intent to damage and destroy an adversary’s systems beyond recovery. “In addition,” he added, in 2023, wiperware emanating from Russia will likely spill over into other countries as geopolitical tensions continue.”

Wiperware can easily be disguised as criminal ransomware with non-functioning decryption, adding deniability to destructive nation-state attacks. There are suspicions that WannaCry was a version of this. “Given the current political climate, Kaspersky experts foresee a record number of disruptive and destructive cyberattacks, affecting both the government sector and key industries,” says Ivan Kwiatkowski, senior security researcher at Kaspersky`s GReAT. 

“It is likely that a portion of them will not be easily traceable to cyberattacks and will look like random accidents. The rest will take the form of pseudo-ransomware attacks or hacktivist operations to provide plausible deniability for their real authors,” he added. “High-profile cyberattacks against civilian infrastructure, such as energy grids or public broadcasting, may also become targets, as well as underwater cables and fiber distribution hubs, which are challenging to defend.”

A particular target area for such attacks will likely be ‘dual use’ technologies; that is, those that serve both military and commercial purposes. “Satellite technologies and other advanced communication platforms come under a higher level of focus. Both intellectual property theft and disruption of data delivery to governments and militaries around the world become a stronger focus,” says Kurt Baumgartner, principal security researcher at Kaspersky.

It is noticeable that the cyberattack against Viasat by Russia just prior to the Russian invasion of Ukraine, designed to disrupt Ukrainian military communications, spilled out of the region to also affect some 9,000 European users. Russia seems to have ‘got away with it’ on this occasion, but it effectively remains a nation-state cyberattack against civilians outside of the war zone. We are not aware of any clandestine response from the West, but must wonder if the response would have been different if the spillover had directly affected US users.

John Pescatore, director of emerging security trends at SANS Institute, endorses Baumgartner’s view. “The war in Ukraine will have broader impacts on the commercial sector as operatives on both sides attack dual-use technologies (that is, services used by both the military and civilians) to take down communication and critical infrastructures systems.” He expects to see more attacks in 2023 that will impact business internet connections, communication, and logistics systems. 

“Increasing attacks on key dual-use technologies like cell towers, GPS, and commercial satellites – such as Star Link,” he adds, “will damage connectivity and business operations for private sector companies that depend on these technologies, even if they are not directly targeted themselves.”

Beyond Russia

While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea will all increase their activity through 2023 under cover of the European war. China will likely continue concentrating on espionage rather than destruction – although this may change if the separate geopolitical tensions over Taiwan escalate into kinetic activity.

“China has high priority targets to meet in terms of economic and social development, made more pressing by continuing Covid outbreaks and a zero-tolerance stance on Covid,” warns Mike McLellan, director of intelligence at Secureworks. “Chinese intelligence collection will remain both broad and deep, as the Chinese Communist Party will not accept failure on any of its key focus areas.”

This focus will be on upgrades to its manufacturing base, food stability, housing, energy supply, and natural resources. “Organizations operating in or supplying any of those areas, particularly high­tech industries,” he continues, “are potential targets of Chinese cyberespionage.”

But he adds, “As tensions continue to rise around Taiwan and the South China Sea, and China continues to drive forward with its Belt Road Initiative (BRI), a large proportion of China’s cyber espionage apparatus will be regionally focused targeting governments and critical infrastructure projects, as well as dissidents and other individuals opposed to the Chinese state.”

Iran and North Korea are less concerned with maintaining any semblance of diplomacy with the US and EU. Iran may engage in more destructive cyberattacks, largely in the Middle East but potentially elsewhere. “Iran will exploit the blurring of state-sponsored activity with cybercrime, both against regional adversaries and more broadly,” says McLellan. 

The country will make use of offensive cyber operations under the guise of hacktivist and cybercrime personas to harass and intimidate regional adversaries, particularly Israel. This will probably extend beyond the Middle East with Iran merging state and criminal activity. Citing the IRGC-affiliated Cobalt Mirage threat group, McLellan warns, “Iran will exploit this financially motivated activity as a plausible cover for state espionage or disruption operations, which can be dismissed as part of a ‘cybercrime problem’.”

“We’re also seeing North Korea flexing its muscles by flying long range weapons over borders,” adds Venafi’s Bocek. If the mirror between kinetic and cyber activity holds true, we can expect North Korea to become more aggressive in cyber in 2023. Such cyber activity, adds Bocek, “will be replicated by North Korea as it looks to advance its economic and political goals.”


A particular concern for 2023 and beyond is that the diplomatic seal may now be permanently broken. The Russia/Ukraine war will eventually end – but tensions between the two countries and their allies will continue. Aggressive international cyber activity may never return to pre-war levels. “Nation-states will continue to cause each other digital problems amid the constant fight for power and status on the world stage,” comments Zac Warren, chief security advisor for EMEA at Tanium.

“Nations will come to the table to discuss norms; China, Russia and others will inhibit progress,” warns Mike Hamilton, founder and CISO at Critical Insight. He has two specific predictions for 2023 that might take cyber relations beyond the point of no return. Firstly, he suggests, “Russia will have its infrastructure disrupted as a demonstration of seriousness.” Secondly, he adds, “Operational technologies will be disrupted/wiped, likely in the US water sector.”

If either of these incidents occur and can be reliably attributed to a foreign state, they will not be easily forgiven.

As it is in the kinetic world, so it is in the digital. “For everything in the real world, there is a shadow on the Internet,” says Sam Curry, CSO at Cybereason. “More-and-more, we are going to see the Internet as a primary forum for geopolitical activity. The classic diplomacy, information, military and economic (or ‘DIME’) options are seeing the rise of information options and a resurgence of military options from 2022. Going into 2023, it’s to be hoped that diplomacy and economics rise to the fore, but for that to happen, the world would need to see an amenable-to-all-parties resolution to the Russia-Ukraine War or at least motion in that direction with a meaningful ceasefire; and detente in the South China Sea, which although a secondary area is another potential area of rising concern and clash of superpowers.”

About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.

Cyber Insights | 2023

Related: Wipers Are Widening: Here’s Why That Matters

Related: Economic Warfare: Attacks on CI Part of Geopolitical Conflict

Related: Security Pros Believe Cybersecurity Now Aligned With Cyberwar

Related: U.S. Issues Fresh Warning Over Russian Cyber Threats

The post Cyber Insights 2023: The Geopolitical Effect appeared first on SecurityWeek.

Iranian APT Leaks Data From Saudi Arabia Government Under New Persona


The Iran-linked advanced persistent threat (APT) actor known as Moses Staff is leaking data stolen from Saudi Arabia government ministries using a recently created online persona.

Also referred to as Cobalt Sapling, Moses Staff has been likely active since November 2020, but its existence was not revealed until September 2021.

A declared anti-Israeli and pro-Palestinian group, the APT has posted on its leaks website 16 activities as of December 2022, mainly consisting of data stolen from Israeli companies, or the personal information of individuals affiliated with an Israeli intelligence unit of the Israel Defense Forces.

The group was previously linked to the use of the PyDCrypt custom loader, the DCSrv cryptographic wiper that encrypts data and displays a bootloader message, the StrifeWater remote access trojan (RAT), and the DriveGuard auxiliary tool deployed to monitor the RAT’s execution.

In November 2022, a seemingly new hacktivist group claiming affiliation to the Hezbollah Ummah Lebanese Shia Islamist political party and militant group announced their existence under the Abraham’s Ax name, but Secureworks believes that this new persona is operated by Cobalt Sapling, the same APT that operates Moses Staff.

Connections between the two groups, the cybersecurity firm says, are plenty, starting with the use of a similar logo, similarities in leak sites (both of which have Tor versions), and the hosting of these sites on the same subnet, nearly adjacent to each other.

Like Moses Staff, Abraham’s Ax uses a biblical figure for their persona, and their claimed affiliation to Hezbollah has yet to be proven, Secureworks says.

As part of their activities, both groups have released videos, often depicting “Hollywood-style hacking involving satellites, CCTV, 3D building models, and fast scrolling through documents allegedly stolen as part of their operations”.

The videos show repetition and evolution of visual themes, with Abraham’s Ax reusing stock video elements from Moses Staff, with additional visual embellishments on top.

To date, Abraham’s Ax has leaked data allegedly stolen from Saudi Arabia’s Ministry of the Interior and a video purportedly depicting an intercepted phone conversation between Saudi Arabian government ministers.

“Rather than attacking Israel directly, Abraham’s Ax attacks government ministries in Saudi Arabia. […] The group may be attacking Saudi Arabia in response to Saudi Arabia’s leadership role in improving relationships between Israel and Arab nations,” Secureworks notes.

The cybersecurity firm also notes that Abraham’s Ax does not appear to replace the Moses Staff persona, which has remained active, claiming in late November the hack of a CCTV system monitoring the site of a terrorist attack in Israel.

“Malware and technical indicators from Abraham’s Ax operations have not been identified. Assuming that both personas are operated by Cobalt Sapling, it is plausible that the threat actors use the same tools and techniques in their intrusions,” Secureworks notes.

Related: UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies

Related: Iranian Hackers Deliver New ‘Fantasy’ Wiper to Diamond Industry via Supply Chain Attack

Related: Religious Minority Persecuted in Iran Targeted With Sophisticated Android Spyware

The post Iranian APT Leaks Data From Saudi Arabia Government Under New Persona appeared first on SecurityWeek.

UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies


The United Kingdom’s National Cyber Security Centre (NCSC) has published an advisory to warn organizations and individuals about separate spearphishing campaigns conducted by Russian and Iranian cyberespionage groups.

The advisory focuses on activities conducted by the Russia-linked Seaborgium group (aka Callisto, Blue Callisto and Coldriver) and the Iran-linked TA453 (aka Charming Kitten, APT35, Magic Hound, NewsBeef, Newscaster and Phosphorus). 

Russian and Iranian phishing

The NCSC noted that the two groups covered by the advisory have similar tactics, techniques and procedures (TTPs) and they target the same types of entities, but there is no evidence that their campaigns are connected or that the two APTs are collaborating. 

The goal of these attacks has been to collect information from government organizations, academia, defense firms, NGOs, think tanks, politicians, activists and journalists.

The general public has not been targeted, but it’s worth pointing out that the Iranian group has also been observed launching what appeared to be financially motivated ransomware attacks.

Seaborgium and TA453’s attacks start with a reconnaissance phase that involves using open source intelligence to research their targets. This phase can involve creating fake social media accounts, email accounts impersonating well-known individuals in the target’s field of interest, fake websites, and event invitations. The goal is to gain the victim’s trust.

The hackers don’t immediately deliver malicious content to the victim and instead take their time to build trust, which increases their chances of success. After trust is established, they deliver a malicious link that leads the victim to a phishing page.

These phishing pages are designed to harvest credentials that the Russian and Iranian hackers can then use to access the victim’s email accounts, which can store valuable information. 

The attackers have also been observed setting up forwarding rules in compromised email accounts in an effort to monitor the victim’s correspondence. In addition, they have used contact lists for further phishing attacks.

“Although spear-phishing is an established technique used by many actors, Seaborgium and TA453 continue to use it successfully and evolve the technique to maintain their success,” the NCSC said in its advisory. 

In August 2022, Microsoft said it had caused significant disruption to Seaborgium’s operations, cutting off the hackers’ access to accounts used for reconnaissance and phishing. 

Related: Iranian Hackers Impersonate British Scholars in Recent Campaign

Related: Russian Espionage APT Callisto Focuses on Ukraine War Support Organizations

The post UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies appeared first on SecurityWeek.