Iranian state-sponsored hackers have discovered ways to infiltrate the Gmail, Yahoo and Outlook inboxes of at least two dozen high-profile users and download their content, according to a report by Google Threat Analysis Group (TAG). .
The government-backed group known as Charming Kitten originally developed a hacking tool called Hyperscape in 2020 and has used it to orchestrate recent cyberattacks. TAG was able to obtain a version of this tool for analysis, TechRadar reported.
Google explained that the attack works stealthily where there is no typical hacking ritual, such as tricking a user into downloading malware. Instead, hackers control the tool from their edge, exploiting vulnerabilities such as compromised account credentials or stolen session cookies to gain access to an account.
While this particular hack may have been politically motivated, Google is clearly interested in how other people might use these vulnerabilities in the future.
A recent Sophos report details how cookie theft is among the latest trends in cybercrime. Hackers use the method to bypass security measures like multi-factor authentication and access private databases.
In this case, once they log into the email account, the hackers use the tool to trick the email service into thinking a browser is out of date, which then changes it to a basic HTML view. Then change the inbox language to English and open the emails individually to start downloading them in .eml format. The hackers then mark the opened emails as unread and delete the warning emails, set the inbox back to its original language, and exit.
Despite its seemingly smooth execution, Google has learned a lot about cyberattacks and has notified all known affected accounts through its government-backed Attacker Warnings. TAG has figured out that the tool was written in .NET for Windows PCs and noted that the attacks could work differently on Yahoo and Outlook inboxes. At the moment, the security group has only tested the tool on Gmail.