Gmail, Outlook… Google reveals how Iran hacks email addresses

Called HYPERSCRAPE, this tool that facilitates the hacking of Gmail, Yahoo, and Outlook accounts would be linked to the Pasdaran, an Iranian paramilitary organization that depends directly on the Guide of the Revolution, in other words, the Iranian head of state.

Solen Feyissa © Unsplash

Google warns of the existence of a hacker tool, which researchers have called HYPERSCRAPE. The program often appears under other names such as APT35, Cobalt Illusion, ITG18, Phosphorus, TA453, or Yellow Garuda – and is directly linked to the Iranian Revolutionary Guard Corps, also known as Pasdaran.

Written in .NET, the program is designed to be used from the hacker’s machine (which must be a Windows PC). It contains functions to download and exfiltrate the contents of the victim’s mailbox, while automatically suppressing security alerts that arise in case of suspicious connections.

Gmail, Yahoo, Outlook: Iran has a tool to facilitate the hacking of emails without the knowledge of the victims

From what we understand by reading the analysis taken up by TheHackerNews, HYPERSCRAPE would have been used to target only about twenty targets in Iran. No foreign targets have yet been documented. In itself, the program is not as sophisticated as one might think. But it achieves its goals – making email hacking and spying invisible – with amazing ease.

The researchers explain:  “HYPERSCRAPE requires the victim’s login data to open a valid authenticated session on the attacker’s computer, data which the attacker has potentially already obtained by other means”. In other words, HYPERSCRAPE is only the last link allowing the Iranian secret services to hack into the email accounts of their targets.

The actual identifiers can be obtained for example via another malware, keylogger, data leaks that are already circulating on the net, or any other form of exfiltration. If two-factor authentication is used, hackers can resort to other techniques to finalize the connection, such as overlay or SIM Swap attacks, which are particularly effective for single-use codes received by SMS.

Furthermore, HYPERSCRAPE automatically downloads all unread messages, while keeping them “unread” in the mailbox the victim sees. Fortunately, Google was able to track the use of the tool. This made it possible to warn proven victims and secure their Gmail accounts. Those most at risk of espionage must necessarily adopt reinforced security mechanisms.

For example, using a physical key like Titan or YubiKey instead of single-use codes received by SMS – and changing your password regularly. On Gmail, it is also advisable to join the Advanced Protection Program, which adds a series of protections preventing this type of hacking.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s