A federal grand jury indicted Monica Elfriede Witt, 39, a former U.S. service member and counterintelligence agent, for conspiracy to give
The same indictment charges four Iranian nationals, Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar and Mohamad Paryar (the “Cyber Conspirators”), with conspiracy, attempts to commit computer intrusion and aggravated identity theft, for conduct in 2014 and 2015 targeting former co-workers and colleagues of Witt in the U.S. Intelligence Community.
The Cyber Conspirators, using fictional and imposter social media accounts and working on behalf of the Iranian Revolutionary Guard Corps (IRGC), sought to deploy malware that would provide them covert access to the targets’ computers and networks.
Arrest warrants have been issued for the Cyber Conspirators, who also remain at large.
“This case reflects our firm resolve to hold accountable any individual who betrays the public trust by compromising our national security,” said U.S. Attorney Jessie K Liu. “Today’s announcement also highlights our commitment to vigorously pursue those who threaten U.S. security through state-sponsored hacking campaigns.”
“The charges unsealed today are the result of years of investigative work by the FBI to uncover Monica Witt’s betrayal of the oath she swore to safeguard America’s intelligence and defense secrets” said Executive Assistant Director for National Security Tabb.
“The alleged actions of Monica Witt in assisting a hostile nation are a betrayal of our nation’s security, our military, and the American people,” said Special Agent Terry Phillips. “While violations like this are extremely rare, her actions as alleged are an affront to all who have served our great nation.”
According to the allegations contained in the indictment unsealed today:
Monica Witt’s Espionage
Monica Witt, a U.S. citizen, was an active duty U.S. Air Force Intelligence Specialist and Special Agent of the Air Force Office of Special Investigations, who entered on duty in 1997 and left the U.S. government in 2008. Monica Witt separated from the Air Force in 2008 and ended work with DOD as a contractor in 2010.
During her tenure with the U.S. government, Witt was granted high-level security clearances and was deployed overseas to conduct classified counterintelligence missions.
In Feb. 2012, Witt traveled to Iran to attend the Iranian New Horizon Organization’s “Hollywoodism” conference, an IRGC-sponsored event aimed at, among other things, condemning American moral standards and promoting anti-U.S. propaganda.
Through subsequent interactions and communications with a dual United States-Iranian citizen referred to in the indictment as Individual A, Witt successfully arranged to re-enter Iran in Aug. 2013.
Thereafter, Iranian government officials provided Witt with a housing and computer equipment. She went on to disclose U.S. classified information to the Iranian government official.
As part of her work on behalf of the Iranian government, she conducted research about USIC personnel that she had known and worked with, and used that information to draft “target packages” against these U.S. agents.
Iranian Hacking Efforts Targeting Witt’s Former Colleagues
Beginning in late 2014, the Cyber Conspirators began a malicious campaign targeting Witt’s former co-workers and colleagues.
Specifically, Mesri registered and helped manage an Iranian company, the identity of which is known to the United States, which conducted computer intrusions against targets inside and outside the United States on behalf of the IRGC.
Using computer and online infrastructure, in some cases procured by Mesri, the conspiracy tested its malware and gathered information from target computers or networks, and sent spearphishing messages to its targets.
Specifically, between Jan. and May 2015, the Cyber Conspirators, using fictitious and imposter accounts, attempted to trick their targets into clicking links or opening files that would allow the conspirators to deploy malware on the target’s computer.
In one such instance, the Cyber Conspirators created a Facebook account that purported to belong to a USIC employee and former colleague of Witt, and which utilized legitimate information and photos from the USIC employee’s actual Facebook account.
This particular fake account caused several of Witt’s former colleagues to accept “friend” requests.