Google says Iranian group using tool to download Gmail, Yahoo!, Outlook inboxes
An alleged government-backed hacking group from Iran is being accused of using a novel tool to download Gmail, Yahoo!, and Microsoft Outlook inboxes.
Google Threat Analysis Group’s Ajax Bash said in a blog on Tuesday that in December, the company found a tool called “Hyperscrape” being used by the hacking group Charming Kitten – which experts believe to be one of Iran’s primary cyber-espionage outfits allegedly operating under the supervision of Iran’s military intelligence service.
Bash explained that “Hyperscrape” allowed the group to steal user data from Gmail, Yahoo!, and Microsoft Outlook accounts and download inboxes using previously acquired credentials.
“We have seen it deployed against fewer than two dozen accounts located in Iran. The oldest known sample is from 2020, and the tool is still under active development,” Bash said.
“We have taken actions to re-secure these accounts and have notified the victims through our Government Backed Attacker Warnings.”
Bash added that the group typically targets “high risk users” but did not elaborate further. Google has tracked Charming Kitten – also known as APT35 – for years as it tried to “hijack accounts, deploy malware” and more.
The tool requires credentials the attacker has either already stolen or the hijacking of a victim’s session.
Once the attacker is able to log in, the tool “changes the account’s language settings to English and iterates through the contents of the mailbox, individually downloading messages as .eml files and marking them unread.”
“After the program has finished downloading the inbox, it reverts the language back to its original settings and deletes any security emails from Google,” Bash said. “Earlier versions contained the option to request data from Google Takeout, a feature which allows users to export their data to a downloadable archive file.”
For years Charming Kitten has used novel techniques to conduct espionage “aligned with the interests of the Iranian government,” Bash wrote in a 2021 report.
The group has previously been implicated in the use of a spyware-infested VPN app uploaded to the Google Play Store.
It also hacked the website of the School of Oriental and African Studies (SOAS) at the University of London and used it to host a phishing kit last year.
Reports emerged that the group sent email messages with links to the hacked site as a way to harvest credentials for platforms such as Gmail, Hotmail, and Yahoo.
In February, cybersecurity firm Cybereason tied Charming Kitten to Memento, a ransomware strain that was deployed in attacks in the fall of 2021.