Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged With a Cyber Campaign Targeting Her Former Colleagues
Monica Elfriede Witt, 39, a former U.S. service member and counterintelligence agent, has been indicted by a federal grand jury in the District of Columbia for conspiracy to deliver and delivering national defense information to representatives of the Iranian government. Witt, who defected to Iran in 2013, is alleged to have assisted Iranian intelligence services in targeting her former fellow agents in the U.S. Intelligence Community (USIC). Witt is also alleged to have disclosed the code name and classified mission of a U.S. Department of Defense Special Access Program. An arrest warrant has been issued for Witt, who remains at large.
The same indictment charges four Iranian nationals, Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar and Mohamad Paryar (the “Cyber Conspirators”), with conspiracy, attempts to commit computer intrusion and aggravated identity theft, for conduct in 2014 and 2015 targeting former co-workers and colleagues of Witt in the U.S. Intelligence Community. The Cyber Conspirators, using fictional and imposter social media accounts and working on behalf of the Iranian Revolutionary Guard Corps (IRGC), sought to deploy malware that would provide them covert access to the targets’ computers and networks. Arrest warrants have been issued for the Cyber Conspirators, who also remain at large.
The announcement was made by Assistant Attorney General for National Security John Demers, U.S. Attorney Jessie K. Liu for the District of Columbia, Executive Assistant Director for National Security Jay Tabb of the FBI, U.S. Treasury Secretary Steven Mnuchin, Special Agent Terry Phillips of the Air Force Office of Special Investigations, and Assistant Director in Charge Nancy McNamara of the FBI’s Washington Field Office.
“Monica Witt is charged with revealing to the Iranian regime a highly classified intelligence program and the identity of a U.S. Intelligence Officer, all in violation of the law, her solemn oath to protect and defend our country, and the bounds of human decency,” said Assistant Attorney General Demers. “Four Iranian cyber hackers are also charged with various computer crimes targeting members of the U.S. intelligence community who were Ms. Witt’s former colleagues. This case underscores the dangers to our intelligence professionals and the lengths our adversaries will go to identify them, expose them, target them, and, in a few rare cases, ultimately turn them against the nation they swore to protect. When our intelligence professionals are targeted or betrayed, the National Security Division will relentlessly pursue justice against the wrong-doers.”
“This case reflects our firm resolve to hold accountable any individual who betrays the public trust by compromising our national security,” said U.S. Attorney Liu. “Today’s announcement also highlights our commitment to vigorously pursue those who threaten U.S. security through state-sponsored hacking campaigns.”
“The charges unsealed today are the result of years of investigative work by the FBI to uncover Monica Witt’s betrayal of the oath she swore to safeguard America’s intelligence and defense secrets” said Executive Assistant Director for National Security Tabb. “This case also highlights the FBI’s commitment to disrupting those who engage in malicious cyber activity to undermine our country’s national security. The FBI is grateful to the Department of Treasury and the United States Air Force for their continued partnership and assistance in this case.”
“Treasury is taking action against malicious Iranian cyber actors and covert operations that have targeted Americans at home and overseas as part of our ongoing efforts to counter the Iranian regime’s cyber-attacks,” said Treasury Secretary Steven Mnuchin. “Treasury is sanctioning New Horizon Organization for its support to the IRGC-QF. New Horizon hosts international conferences that have provided Iranian intelligence officers a platform to recruit and collect damaging information from attendees, while propagating anti-Semitism and Holocaust denial. We are also sanctioning an Iran-based company that has attempted to install malware to compromise the computers of U.S. personnel.”
“The alleged actions of Monica Witt in assisting a hostile nation are a betrayal of our nation’s security, our military, and the American people,” said Special Agent Phillips. “While violations like this are extremely rare, her actions as alleged are an affront to all who have served our great nation.”
“This investigation exemplifies the tireless work the agents and analysts of the FBI do each and every day to bring a complex case like this to fruition,’ said Assistant Director in Charge McNamara. “Witt’s betrayal of her country and the actions of the cyber criminals – at the behest of the IRGC – could have brought serious damage to the United States, and we will not stand by and allow that to happen. The efforts by the Iranian government to target and harm the U.S. will not be taken lightly, and the FBI will continue our work to hold those individuals or groups accountable for their actions.”
According to the allegations contained in the indictment unsealed today:
Monica Witt’s Espionage
Monica Witt, a U.S. citizen, was an active duty U.S. Air Force Intelligence Specialist and Special Agent of the Air Force Office of Special Investigations, who entered on duty in 1997 and left the U.S. government in 2008. Monica Witt separated from the Air Force in 2008 and ended work with DOD as a contractor in 2010. During her tenure with the U.S. government, Witt was granted high-level security clearances and was deployed overseas to conduct classified counterintelligence missions.
In Feb. 2012, Witt traveled to Iran to attend the Iranian New Horizon Organization’s “Hollywoodism” conference, an IRGC-sponsored event aimed at, among other things, condemning American moral standards and promoting anti-U.S. propaganda. Through subsequent interactions and communications with a dual United States-Iranian citizen referred to in the indictment as Individual A, Witt successfully arranged to re-enter Iran in Aug. 2013. Thereafter, Iranian government officials provided Witt with a housing and computer equipment. She went on to disclose U.S. classified information to the Iranian government official. As part of her work on behalf of the Iranian government, she conducted research about USIC personnel that she had known and worked with, and used that information to draft “target packages” against these U.S. agents.
Iranian Hacking Efforts Targeting Witt’s Former Colleagues
Beginning in late 2014, the Cyber Conspirators began a malicious campaign targeting Witt’s former co-workers and colleagues. Specifically, Mesri registered and helped manage an Iranian company, the identity of which is known to the United States, which conducted computer intrusions against targets inside and outside the United States on behalf of the IRGC. Using computer and online infrastructure, in some cases procured by Mesri, the conspiracy tested its malware and gathered information from target computers or networks, and sent spearphishing messages to its targets. Specifically, between Jan. and May 2015, the Cyber Conspirators, using fictitious and imposter accounts, attempted to trick their targets into clicking links or opening files that would allow the conspirators to deploy malware on the target’s computer. In one such instance, the Cyber Conspirators created a Facebook account that purported to belong to a USIC employee and former colleague of Witt, and which utilized legitimate information and photos from the USIC employee’s actual Facebook account. This particular fake account caused several of Witt’s former colleagues to accept “friend” requests.