Iranian state-sponsored hackers have discovered ways to infiltrate the Gmail, Yahoo and Outlook inboxes of at least two dozen high profile users and download their content, according to a report by Google Threat Analysis Group (TAG).
The government-backed group known as Charming Kitten originally developed a hacking tool called Hyperscape in 2020 and used it to orchestrate recent cyberattacks. TAG was able to get its hands on a version of this scan tool, TechRadar reported.
Google explained that the attack works in a stealth manner where there is no typical hacking ritual, such as tricking a user into downloading malware. Instead, hackers control the tool from their end, taking advantage of vulnerabilities, such as compromised account credentials or stolen session cookies, in order to gain access to an account.
While this particular cyberattack may have been politically motivated, Google is clearly interested in how these vulnerabilities could be used by others in the future.
A recent report from Sophos explains how cookie theft is one of the latest trends in cybercrime. Hackers use this method to bypass security measures such as multi-factor authentication and gain access to private databases.
In this case, once logged into the email account, hackers use the tool to trick the email service into thinking a browser is outdated, which then switches it to a basic HTML view. Then it changes the inbox language to English and opens the emails individually to start downloading them in .eml format. The hackers then mark all opened emails as unread and delete all warning emails, reset the inbox to its original language and exit.
Despite its seemingly smooth execution, Google learned a lot about cyberattacks and notified all known accounts that were affected by its government-backed attacker warnings. TAG deciphered that the tool was written in .NET for Windows PCs and noted that the attacks could work differently in Yahoo and Outlook inboxes. So far, the security group has only tested the tool in Gmail.