A newly published report from Google's Threat Analysis Group (TAG) has revealed that an espionage threat group it says is backed by the Iranian government has a new tool that has been used to successfully hack a small number of Gmail user accounts.
The group goes by the name of Charming Kitten, although this cat is far from charming and has very sharp claws, it would appear.
The report, written by TAG's Ajax Bash, confirms that the tool, called HYPERSCRAPE, is "used to steal user data from Gmail, Yahoo!, and Microsoft Outlook accounts."
Bash confirms that the state-sponsored group behind the HYPERSCRAPE hack has already successfully compromised a small number of Gmail accounts. "We have seen it deployed against fewer than two dozen accounts located in Iran," Bash said, adding that Google had notified the affected users and "taken actions to re-secure these accounts."
The HYPERSCRAPE tool was first detected by Google TAG researchers in December 2021, although further investigation revealed the oldest attack seems to date to 2020.
It uses spoofing techniques so as to seem to be an old, outdated web browser. This enables the tool to 'see' Gmail inboxes in a basic HTML view. HYPERSCRAPE can step through the contents of the compromised Gmail inbox and other mailboxes to download the email messages one at a time. Once it has completed this process, the emails are marked as unread, and any Google security messages or warnings are deleted.
Bash also said that some versions of the hacking tool were able to export all user data as a downloadable archive using the Google Takeout feature. It is unclear if or why, this feature was removed.
Obviously, to those targeted by Charming Kitten, HYPERSCRAPE is a very dangerous threat. However, those targets will be very carefully selected, and, as Bash has said, only a handful of users are known to have been compromised. All of those users were based in Iran.
Furthermore, in order for HYPERSCRAPE to be executed, the attackers need to have already acquired the victim's user credentials. This, again, reduces the chances that everyday users will be affected. If an attacker has your user credentials, then it's pretty much game over anyway.
In the case of HYPERSCRAPE, the attackers don't want the victims to know their credentials have been compromised and their Gmail accounts accessed. Charming Kitten is an advanced persistent threat group, and by covering its tracks by resetting mailboxes back to their original state and removing any security warnings from Google, it hopes to be able to repeat the email hacking at leisure.
Bash said that the news of this discovery was being made public so as to "raise awareness on bad actors like Charming Kitten within the security community," as well as for the high-risk individuals and organizations that could be targeted by the threat group.
If you fall into such a category, then Google encourages you to join the Advanced Protection Program (APP) as well as make use of Google Account Level Enhanced Safe Browsing.
If you don't, then you should continue to be security-minded despite being at low risk of falling victim to HYPERSCRAPE. That is the extreme end of the threat spectrum, but using weak passwords and not implementing two-factor verification on your Google account leaves you in the crosshairs of everyday cybercriminals. Gaining control of your Gmail account is like getting the keys to the hacking kingdom. Password reset links coming to your email, details of bank accounts, and personal data all add up to a huge security mess that can be avoided by ensuring a better basic security posture.