Security Experts:

Former U.S. Air Force Officer Indicted for Aiding Iranian Cyber Attacks

Former Air Force intelligence officer, Monica Elfriede Witthas been charged with betraying her oath to protect and defend the United States and providing secret U.S. information to the Iranian government. Four named Iranian citizens affiliated with the Iranian Revolutionary Guard Corps (IRGC), have also been charged with various cyber-related conspiracies using information provided by Witt.

The charges were unveiled Wednesday in a grand jury indictment (PDF) following four years of investigation by the FBI and the Air Force Office of Special Investigations (AFOSI). The named Iranians are Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar, and Mohamad Paryar.

Witt joined the Air Force in 1997 and served as a special agent with AFOSI with access to top secret information -- including the true identity of intelligence sources and other U.S. agents. She served until 2008, but then did two further years DOD work as a contractor.

She converted to Islam in 2012. In June 2012, she was visited in the U.S. by a 'spotter' for the Iranian government, described in the indictment as 'Individual A'. With his assistance, she defected to Iran in August 2013.

The indictment alleges that in 2015 her special knowledge of U.S. agents helped the four Iranians craft and deliver spear-phishing messages that could have led to major computer intrusions on U.S. government networks. The primary targets are specified in the indictment as Agents 1 through 8. 

In one attempt, the Iranians (the conspirators) created a fake Facebook account in the name of Bella Wood, and sent a 'friend' request to Agent 2. This was accepted. This allowed them to later email Agent 2 as a known friend (bella.wood87(at)yahoo.com) with a 'friend' card. The email link to the card, had it been clicked, would have taken the agent to a server controlled by the conspirators.

Agent 2 did not click the link, but the conspirators now knew that the email had been opened via a DOD network located in Kabul, Afghanistan. They sent a second email offering photos of Bella Wood, but claiming Agent 2 would need to deactivate his anti-virus in order to get them, and that "they should be opened in your computer honey." The link again went to the conspirators' server.

In another attack, the conspirators created an imposter Facebook account in the true name of Agent 3, using information and photos from Agent 3's legitimate Facebook account. This account sent a friend request to Agent 1, who accepted. The imposter account subsequently messaged Agent 1 with an attachment purporting to be a JPG file. Had it been opened, it would have launched malware able to give the conspirators "covert, persistent access on USG Agent 1's computer and any associated network."

The same imposter account simultaneously friended Agent 4, and subsequently asked for help in opening a photo album that wouldn't work on the imposter's laptop. Agent 4 simply defriended the imposter.

Agent 5, however, both friended the imposter and added it to a private Facebook group 'composed primarily of USG Agents'. "By joining the group," says the indictment, "the Cyber Conspirators obtained greater access to information regarding USG Agents."

Two months later, the imposter account sent separate messages to Agents 2,6,7 and 8. Each contained a link to what appeared to be a legitimate news story. The message asked if the article was about the recipient, but the link was directed to a page controlled by the conspirators. It isn't clear from the indictment whether this was entirely spoofed, or whether the conspirators had compromised the news agency and set up a fake page within it.

Outside of Facebook, the conspirators attempted email spear-phishing. They designed an email that appeared to come from Agent 7, using his true name followed by '@ogn.af.mil', which is a genuine U.S. government domain. The indictment does not clarify who this email was sent to, nor what it contained.

The conspirators also designed a 'reset password' email that appeared to come from '[email protected]'. Had it been accepted as genuine, it would have given the conspirators the Agents' true Facebook account credentials -- but again, the indictment gives no further details.

In announcing the allegations, Assistant Attorney General Demers said, "Monica Witt is charged with revealing to the Iranian regime a highly classified intelligence program and the identity of a U.S. Intelligence Officer, all in violation of the law, her solemn oath to protect and defend our country, and the bounds of human decency," 

He continued, "Four Iranian cyber hackers are also charged with various computer crimes targeting members of the U.S. intelligence community who were Ms. Witt's former colleagues. This case underscores the dangers to our intelligence professionals and the lengths our adversaries will go to identify them, expose them, target them, and, in a few rare cases, ultimately turn them against the nation they swore to protect.  When our intelligence professionals are targeted or betrayed, the National Security Division will relentlessly pursue justice against the wrong-doers."

Witt and the four Iranian conspirators are all believed to be in Iran. Arrest warrants have been issued, and they will be arrested if they leave the country.

Related: Facebook Takes Down Vast Iran-led Manipulation Campaign 

Related: Iran-Linked Hackers Use Just-in-Time Creation of Weaponized Attack Docs 

Related: Iran Hackers Hunt Nuke Workers, US Officials 

Related: Israel Blocks Iran Cyber-attacks 'Daily': Netanyahu 

Related: U.S. Charges Two Iranians Over SamSam Ransomware Attacks 

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.