Google researchers expose Iranian hackers’ tool to steal emails from Gmail, Yahoo and Outlook
Hackers linked to the Iranian government’s cyber espionage unit developed a software tool to retrieve downloaded emails and other data from Gmail, Yahoo and Microsoft Outlook accounts, Google researchers said Tuesday.
The researchers at Google’s Threat Analysis Group, who dubbed the tool “HYPERSCRAPE,” detected the malicious program in December 2021. The Iranian hackers appear to have deployed it against fewer than two dozen accounts located in Iran, according to Ajax Bash, a Google security engineer.
While the oldest known sample dates to 2020, the tool remains under active development, Bash said.
Google took action to secure the affected accounts and notify the victims, Bash said. It’s not clear whether the Iranian hackers actually deployed the code against Yahoo or Outlook email accounts.
The program is likely associated with Charming Kitten, a prolific cyber espionage operation believed to operate under the Iranian Revolutionary Guard Corps, with aspects of its activity tracked variously as APT35, TA453, Phosphorus, ITG18 and Cobalt Illusion. Researchers with cybersecurity firm Secureworks said in May that elements of the group also carry out ransomware attacks, revealing financial motives alongside its traditional espionage role.
Previous research into the group’s tools points to ongoing operational security errors and relatively basic development that aid in attribution yet still work, as was the case with Hyperscrape, Bash said.
“Like much of their tooling, Hyperscrape is not notable for its technical sophistication,” Bash wrote, “but rather its effectiveness in accomplishing Charming Kitten’s objectives.”
For the tool to work, victims either need to be logged into their account or the attackers need their credentials, Bash wrote. Once inside, the tool changes the account’s language settings to English, downloads individual emails and then marks them as unread. The program also deleted any security emails from Google triggered by the activity, Bash wrote.
Older versions of the tool allowed the attacker to request data from Google Takeout, a Google service that enables the bulk downloading of Google account data across a variety of the company’s platforms via downloadable archive file. Subsequent versions did not include the option for unknown reasons.