Gmail Iran Accounts Have Been Targeted
According to a new report from Google’s Threat Analysis Group (TAG), an espionage threat group backed by the Iranian government has a new tool that has been successfully used to hack a small number of Gmail user accounts.
Charming Kitten is the name of the group, but this cat appears to be far from charming and has very sharp claws.
TAG’s Ajax Bash confirms that the HYPERSCRAPE tool is “used to steal user data from Gmail, Yahoo!, and Microsoft Outlook accounts,” according to the report.
Bash confirms that the state-sponsored group responsible for the HYPERSCRAPE hack has compromised a small number of Gmail accounts. “We’ve seen it deployed against fewer than two dozen accounts in Iran,” Bash said, adding that Google had notified the affected users and “taken steps to re-secure these accounts.”
What exactly is HYPERSCRAPE?
The HYPERSCRAPE tool was discovered by Google TAG researchers in December 2021, but further investigation revealed that the oldest attack appears to have occurred in 2020.
It employs spoofing techniques to appear to be an old, out-of-date web browser. This allows the tool to view Gmail inboxes in a basic HTML format. HYPERSCRAPE can download email messages one at a time by stepping through the contents of the compromised Gmail inbox and other mailboxes. When this process is finished, the emails are marked as unread and any Google security messages or warnings are deleted.
How risky is HYPERSCRAPE?
HYPERSCRAPE is obviously a very dangerous threat to those targeted by Charming Kitten. However, those targets will be carefully chosen, and, as Bash has stated, only a small number of users have been compromised. All of those users were from Iran.
Furthermore, for HYPERSCRAPE to be executed, the attackers must already have the victim’s user credentials. This, once again, reduces the likelihood that ordinary users will be affected. If an attacker has your user credentials, the game is pretty much over.
The attackers in the case of HYPERSCRAPE do not want the victims to know their credentials have been compromised and their Gmail accounts accessed. Charming Kitten is an advanced persistent threat group, and it hopes to be able to repeat the email hacking at leisure by resetting mailboxes to their original state and removing any security warnings from Google.
Bash stated that the discovery was made public in order to “raise awareness on bad actors like Charming Kitten within the security community,” as well as for high-risk individuals and organizations who may be targeted by the threat group.
HYPERSCRAPE and other Gmail attack threats are being mitigated.
If you fall into this category, Google recommends that you join the Advanced Protection Program (APP) and use Google Account Level Enhanced Safe Browsing.
If you don’t, you should remain cautious despite the fact that you are unlikely to be a victim of HYPERSCRAPE. That is at the extreme end of the threat spectrum, but using weak passwords and not enabling two-factor authentication on your Google account puts you in the sights of everyday cybercriminals. Taking over your Gmail account is akin to receiving the keys to the hacking kingdom. Password reset links in your email, bank account details, and personal data all add up to a huge security mess that can be avoided by improving your basic security posture.
The expert’s view on threat intelligence
According to Ian Thornton-Trump, CISO at threat intelligence firm Cyjax: “We live in a world where we can feel safe one moment and completely vulnerable the next. I believe that threat models must drive response and investment. On-premise can provide benefits in terms of security while sacrificing agility. When it comes to cyber security, I believe we are learning that there is no “one size fits all.” Support and responsiveness from vendors become a value proposition. This is the world in which we live. What interests me is that it is no longer about “vulnerability or exploit,” but rather about how we deploy technology with the philosophy of “least level of harm.””