Google says Iranian group uses tool to download Gmail, Yahoo!, Outlook inboxes

An alleged government-backed Iranian hacking group is accused of using a new tool to download Gmail, Yahoo! and Microsoft Outlook.

Ajax Bash, of Google Threat Analysis Group, said in a blog post on Tuesday that in December the company discovered a tool called “Hyperscrape” used by hacking group Charming Kitten – which experts consider one of the main teams Iranian cyber espionage companies that would operate under the supervision of the Iranian military intelligence service.

Bash explained that “Hyperscrape” allowed the group to steal user data from Gmail, Yahoo! and Microsoft Outlook and download mailboxes using previously acquired credentials.

“We have seen it deployed against less than two dozen accounts located in Iran. The oldest known sample is from 2020 and the tool is still under development,” Bash said.

“We have taken steps to secure these accounts again and have notified victims through our government-backed attacker warnings.”

Bash added that the group generally targets “high-risk users,” but didn’t elaborate. Google tracked Charming Kitten – also known as APT35 – for years as it attempted to “hack accounts, deploy malware” and more.

The tool requires credentials that the attacker has already stolen or the hijacking of a victim’s session.

Once the attacker is able to log in, the tool “changes the account’s language settings to English and scans the contents of the mailbox, individually downloading the messages as .eml files and marking them as Unread”.

The metadata of the file HYPERSCAPE. (Google)

“Once the program finishes downloading the inbox, it resets the language to its original settings and deletes all security emails from Google,” Bash said. “Previous versions contained the ability to request data from Google Takeout, a feature that allows users to export their data to a downloadable archive file.”

For years, Charming Kitten has used new techniques to conduct espionage “aligned with the interests of the Iranian government,” Bash wrote in a 2021 report.

The group has previously been implicated in the use of a spyware-infested VPN app downloaded from the Google Play Store.

He also hacked into the University of London’s School of Oriental and African Studies (SOAS) website and used it to host a phishing kit last year.

Reports have emerged that the group sends emails containing links to the hacked site to collect credentials for platforms including Gmail, Hotmail and Yahoo.

In February, cybersecurity firm Cybereason linked Charming Kitten to Memento, a ransomware strain that was deployed in attacks in the fall of 2021.

Jonathan has worked around the world as a journalist since 2014. Before returning to New York, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.