Iranian state-sponsored actors are behind the attacks, says Google
Iranian state-sponsored hackers have built a new tool capable of downloading Gmail, Yahoo, and Outlook inboxes, and are using it against unknown high-profile targets.
This is according to a new report from Google’s Threat Analysis Group (TAG), which managed to obtain a version of the tool and perform an analysis to see just how dangerous it is.
As per the report, the tool in question is called HYPERSCAPE, and was built back in 2020 by the government-backed group known as Charming Kitten.
Charming Kitten attacks
According to Google, the tool works on the attacker’s endpoint, which means victims don’t have to be tricked into downloading any malware. They do, however, need to either have their account credentials compromised or session cookies stolen, as the attacker first needs to log into their account.
Once that step is achieved, the tool will trick the email service into thinking it’s being accessed via an outdated browser, and will switch to the basic HTML view.
After that, it will change the inbox’s language to English, start opening emails one by one, and download them into the .eml format. Email messages that were marked as unread before the attack will be marked as unread afterward as well. Once that stage is done, it will delete any warning emails, revert the language back to its original state and disappear.
Apparently, the tool has so far been used against no more than two dozen accounts, all located in Iran. Google says it notified all of them via its Government Backed Attacker Warnings. The tool was written in .NET for Windows PCs, TAG added, saying it tested it with Gmail, “although functionality may differ for Yahoo! and Microsoft accounts”.
Earlier versions of HYPERSCAPE also allowed threat actors to request data from Google Takeout, a feature allowing users to export their data to a downloadable archive file. The feature doesn’t seem to be available in the latest version, however.