A newly published report from Google's Threat Analysis Group (TAG) has revealed that the Iranian government backs an espionage threat group it says has a new tool that has been used to hack a small number of Gmail user accounts successfully.
The group goes by the name of Charming Kitten, and although this cat is far from charming and has very sharp claws, it would appear.
The report, written by TAG's Ajax Bash, confirms that the tool, called HYPERSCRAPE, is “used to steal user data from Gmail, Yahoo!, and Microsoft Outlook accounts.”
Bash confirms that the state-sponsored group behind the HYPERSCRAPE hack has already successfully compromised a small number of Gmail accounts. “We have seen it deployed against fewer than two dozen accounts in Iran,” Bash said, adding that Google had notified the affected users and “taken actions to re-secure these accounts.”
What is HYPERSCRAPE?
The HYPERSCRAPE tool was first detected by Google TAG researchers in December 2021, although further investigation revealed the oldest attack seems to date to 2020.
It uses spoofing techniques to seem to be an old, outdated web browser. This enables the tool to ‘see' Gmail inboxes in a basic HTML view. HYPERSCRAPE can step through the contents of the compromised Gmail inbox and other mailboxes to download the email messages one at a time. Once this process is completed, the emails are marked as unread, and any Google security messages or warnings are deleted.
Bash also said that some versions of the hacking tool were able to export all user data as a downloadable archive using the Google Takeout feature. However, it is unclear if or why this feature was removed.
How dangerous is HYPERSCRAPE?
To those targeted by Charming Kitten, HYPERSCRAPE is a dangerous threat. However, those targets will be very carefully selected, and, as Bash has said, only a handful of users are known to have been compromised. All of those users were based in Iran.
Furthermore, for HYPERSCRAPE to be executed, the attackers must have already acquired the victim's user credentials. This, again, reduces the chances that everyday users will be affected. Of course, if an attacker has your user credentials, then it's pretty much game over anyway.
In the case of HYPERSCRAPE, the attackers don't want the victims to know their credentials have been compromised and their Gmail accounts accessed. Charming Kitten is an advanced persistent threat group. By covering its tracks by resetting mailboxes back to their original state and removing any security warnings from Google, it hopes to be able to repeat the email hacking at leisure.
Bash said that the news of this discovery was being made public to “raise awareness on bad actors like Charming Kitten within the security community,” as well as for the high-risk individuals and organizations that the threat group could target.
Mitigating HYPERSCRAPE and other Gmail attack threats
If you fall into such a category, then Google encourages you to join the Advanced Protection Program (APP) and use Google Account Level Enhanced Safe Browsing.
If you don't, you should continue to be security-minded despite being at low risk of falling victim to HYPERSCRAPE. That is the end of the threat spectrum, but using weak passwords and not implementing two-factor verification on your Google account leaves you in the crosshairs of everyday cybercriminals. Gaining control of your Gmail account is like getting the keys to the hacking kingdom. Password reset links coming to your email, details of bank accounts, and personal data all add up to a vast security mess that can be avoided by ensuring a better basic security posture.
John Ravenporton is a writer for many popular online publications. John is now our chief editor at DailyTechFeed. John specializes in Crypto, Software, Computer and Tech related articles.