A threat actor named “Voldemort” is impersonating tax authorities from governments in Europe, Asia, and the US – targeting dozens of organizations worldwide. Cybersecurity company Proofpoint believes “with moderate confidence” that Voldemort’s ultimate goal is cyber-espionage.
Since August 5 this year, Voldemort, named after the main villain in J. K. Rowling’s Harry Potter children’s books, has sent over 20,000 messages purported to be from various tax authorities to over 70 organizations around the world. The threat actor poses as the US Internal Revenue Services, the UK’s HM Revenue & Customs, France’s Direction Générale des Finances Publiques, Germany’s Bundeszentralamt für Steuern, Italy’s Agenzia delle Entrate, India‘s Income Tax Department and Japan’s National Tax Agency.
So far, Voldemort has targeted 18 different verticals, although almost a quarter of the organizations targeted were insurance companies. Aerospace, transportation, and university entities made up the rest of the top 50 percent of organizations targeted by the threat actor.
What distinguished Voldemort’s scam messages from those of most online threat actors is the professionalism that has been used to craft what, at first glance, appeared to be legitimate communications from the tax office. Each lure is customized and written in the language of the authority being impersonated. The threat actor also makes sure to target intended victims by sending messages from the tax authority in their country of residence rather than the one where they operate or the one apparent from their email address.
Language used copies genuine terminology
“For example, certain targets in a multi-national European organization received emails impersonating the IRS because their publicly available information linked them to the US,” says the Proofpoint research report, The Malware That Must Not Be Named: Suspected Espionage Campaign Delivers “Voldemort.”
The language used in the fake messages also correlates to the kind of terminology used in genuine tax communications and generally avoids the kind of giveaway grammatical and spelling mistakes common in fraudulent messaging scams. Emails were sent from suspected compromised domains, with the threat actor including the real domain of the agency in the email address. For example, an email impersonating the U.S. IRS appeared to be: “From Federal IRS <no_reply_irs[.]gov@amecaindustrial[.]com> “.
According to Proofpoint: “[The threat actor’s] “Frankensteinian amalgamation of clever and sophisticated capabilities obscures the ultimate goal of the campaign. But, while the lures in the campaign are more typical of a criminal threat actor, the features included in the backdoor are more similar to the features typically found in the tools used for espionage.”
