Security Experts:

Connect with us

Hi, what are you looking for?



Former U.S. Air Force Officer Indicted for Aiding Iranian Cyber Attacks

Former Air Force intelligence officer, Monica Elfriede Witthas been charged with betraying her oath to protect and defend the United States and providing secret U.S. information to the Iranian government.

Former Air Force intelligence officer, Monica Elfriede Witthas been charged with betraying her oath to protect and defend the United States and providing secret U.S. information to the Iranian government. Four named Iranian citizens affiliated with the Iranian Revolutionary Guard Corps (IRGC), have also been charged with various cyber-related conspiracies using information provided by Witt.

The charges were unveiled Wednesday in a grand jury indictment (PDF) following four years of investigation by the FBI and the Air Force Office of Special Investigations (AFOSI). The named Iranians are Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar, and Mohamad Paryar.

Witt joined the Air Force in 1997 and served as a special agent with AFOSI with access to top secret information — including the true identity of intelligence sources and other U.S. agents. She served until 2008, but then did two further years DOD work as a contractor.

She converted to Islam in 2012. In June 2012, she was visited in the U.S. by a ‘spotter’ for the Iranian government, described in the indictment as ‘Individual A’. With his assistance, she defected to Iran in August 2013.

The indictment alleges that in 2015 her special knowledge of U.S. agents helped the four Iranians craft and deliver spear-phishing messages that could have led to major computer intrusions on U.S. government networks. The primary targets are specified in the indictment as Agents 1 through 8. 

In one attempt, the Iranians (the conspirators) created a fake Facebook account in the name of Bella Wood, and sent a ‘friend’ request to Agent 2. This was accepted. This allowed them to later email Agent 2 as a known friend (bella.wood87(at) with a ‘friend’ card. The email link to the card, had it been clicked, would have taken the agent to a server controlled by the conspirators.

Agent 2 did not click the link, but the conspirators now knew that the email had been opened via a DOD network located in Kabul, Afghanistan. They sent a second email offering photos of Bella Wood, but claiming Agent 2 would need to deactivate his anti-virus in order to get them, and that “they should be opened in your computer honey.” The link again went to the conspirators’ server.

In another attack, the conspirators created an imposter Facebook account in the true name of Agent 3, using information and photos from Agent 3’s legitimate Facebook account. This account sent a friend request to Agent 1, who accepted. The imposter account subsequently messaged Agent 1 with an attachment purporting to be a JPG file. Had it been opened, it would have launched malware able to give the conspirators “covert, persistent access on USG Agent 1’s computer and any associated network.”

The same imposter account simultaneously friended Agent 4, and subsequently asked for help in opening a photo album that wouldn’t work on the imposter’s laptop. Agent 4 simply defriended the imposter.

Agent 5, however, both friended the imposter and added it to a private Facebook group ‘composed primarily of USG Agents’. “By joining the group,” says the indictment, “the Cyber Conspirators obtained greater access to information regarding USG Agents.”

Two months later, the imposter account sent separate messages to Agents 2,6,7 and 8. Each contained a link to what appeared to be a legitimate news story. The message asked if the article was about the recipient, but the link was directed to a page controlled by the conspirators. It isn’t clear from the indictment whether this was entirely spoofed, or whether the conspirators had compromised the news agency and set up a fake page within it.

Outside of Facebook, the conspirators attempted email spear-phishing. They designed an email that appeared to come from Agent 7, using his true name followed by ‘’, which is a genuine U.S. government domain. The indictment does not clarify who this email was sent to, nor what it contained.

The conspirators also designed a ‘reset password’ email that appeared to come from ‘[email protected]’. Had it been accepted as genuine, it would have given the conspirators the Agents’ true Facebook account credentials — but again, the indictment gives no further details.

In announcing the allegations, Assistant Attorney General Demers said, “Monica Witt is charged with revealing to the Iranian regime a highly classified intelligence program and the identity of a U.S. Intelligence Officer, all in violation of the law, her solemn oath to protect and defend our country, and the bounds of human decency,” 

He continued, “Four Iranian cyber hackers are also charged with various computer crimes targeting members of the U.S. intelligence community who were Ms. Witt’s former colleagues. This case underscores the dangers to our intelligence professionals and the lengths our adversaries will go to identify them, expose them, target them, and, in a few rare cases, ultimately turn them against the nation they swore to protect.  When our intelligence professionals are targeted or betrayed, the National Security Division will relentlessly pursue justice against the wrong-doers.”

Witt and the four Iranian conspirators are all believed to be in Iran. Arrest warrants have been issued, and they will be arrested if they leave the country.

Related: Facebook Takes Down Vast Iran-led Manipulation Campaign 

Related: Iran-Linked Hackers Use Just-in-Time Creation of Weaponized Attack Docs 

Related: Iran Hackers Hunt Nuke Workers, US Officials 

Related: Israel Blocks Iran Cyber-attacks ‘Daily’: Netanyahu 

Related: U.S. Charges Two Iranians Over SamSam Ransomware Attacks 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.