The Justice Department on Wednesday unsealed an indictment against a former Air Force counterintelligence officer on espionage charges for allegedly revealing classified information to Iran.
On a Wednesday conference call with reporters, the Justice Department said former Air Force officer Monica Witt defected to Iran in 2013, where she is still suspected to be located. She allegedly provided the code name and mission of a secret Department of Defense program and information about her former intelligence colleagues to Iran’s Islamic Revolutionary Guard Corps.
Story Continued Below
Four Iranian nationals said to be working with Witt were named in the indictment and face charges for alleged efforts to collect intelligence from U.S. individuals abroad and target Witt’s former military and government co-workers in cyber attacks.
“It is a sad day for America when one of its citizens betrays our country,” John Demers, assistant attorney general for national security, told reporters. “It is sadder still when this person, as a member of the American armed forces, previously invoked the aid of God to bear true faith and allegiance to the Constitution of the United States and to defend her country against foreign enemies.”
Witt served in the Air Force from 1997 to 2008 before working as a government contractor for two years, authorities said. She had a top secret security clearance from the time she joined the military until she terminated her employment with the government in 2010.
In 2012, Witt traveled to Iran to attend a conference put on by the New Horizon Organization, which has hosted events designed to promote anti-U.S. sentiments, according to the indictment. The Treasury Department on Wednesday announced sanctions on the Iran-based organization, which has used similar conferences to collect intelligence from foreign attendees.
Prosecutors said a few months later, Witt began to correspond with an unnamed individual, known to the grand jury, who is a dual citizen of the United States and Iran.
“I am endeavoring to put the training I received to good use instead of evil,” she wrote to the individual in October of 2012, according to charges. Witt eventually sent this person her biography and job history, including her “conversion narrative."
Witt began appearing in videos for Iranian broadcasts where she identified herself as a U.S. veteran and criticized the U.S. government, prosecutors said. She attended another New Horizon Organization conference in 2013.
Then, in August of 2013, Witt wrote to her contact as she boarded a flight from Dubai to Tehran: “Coming home.”
According to the indictment, it was around this time that Witt defected and began to receive housing, computer equipment and other goods and services from the Iranian government. She also disclosed the code name and mission of a secret Pentagon program.
Witt also used fake Facebook accounts to conduct a number of Facebook searches on her former colleagues and their families, later creating “target packages” for Iran against U.S. counterintelligence officers, prosecutors said.
“Witt’s primary motivation appeared to be ideological,” Jay Tabb, FBI executive assistant for national security, told reporters. “In other words, she decided to turn against the Untied States and shift her loyalties to the government of Iran.”
Prosecutors also accused the Iranian hackers of using false personas to communicate with U.S. government personnel and sending them emails that contained attachments laced with malware.
The Iranian defendants — Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar and Mohamad Paryar — wrote and purchased malware that could log keystrokes, activate a victim’s webcam and “monitor other computer activity,” according to the indictment.
“After engaging online with a target,” the charging document said, the hackers “would and did send links and attachments that … were designed to deploy malware and establish covert, persistent access to the recipient’s computer and associated network.”
The logistical coordinator of this alleged operation was Behzad Mesri, whom the Justice Department separately charged in November 2017 with hacking HBO and stealing unaired episodes and scripts. According to the new indictment, Mesri purchased computer servers and set up a business in December 2014 that would serve as the staging infrastructure for the Iranian operatives.
The Iranians tried to infect their American victims’ computers with malware through social engineering, posing as trusted or at least trustworthy associates to bypass the Americans’ natural suspicions.
In one instance in January 2015, the Iranians used a Facebook account impersonating one “Bella Woods” to send a fake greeting card to an unnamed U.S. intelligence community employee who had accepted their friend request. The link actually pointed to a server run by the hackers, letting them know if they victim had clicked it. Several days later, the same account encouraged the U.S. government worker to open “a file including my photos” and warned them to “deactivate your anti virus” before doing so.
The target of this attack, like the other hacking targets described in the indictment, either worked or otherwise interacted with Witt, the government said.
In March 2015, according to the indictment, the Iranian hackers tried to breach the computer of the U.S. counterintelligence officer whose name Witt provided to her Iranian contacts.
They created a Facebook account impersonating a different U.S. government worker and used it to send a malware-laden file to the counterintelligence agent. The attachment, which masqueraded as an image file, actually contained software that would have given the hackers “covert, persistent access” to the target’s computer and any network to which they connected.
The hackers also sent a friend request from the impersonator account to yet another agent, who accepted the request but later severed ties after learning that it was fake.
Months later, the hackers allegedly crafted two fake emails that were designed to trick their victims. One was intended to look like it came from a U.S. government worker, while the other was a spoofed Facebook password-reset message. Russian hackers used the same password-reset trick to breach the email account of John Podesta, Hillary Clinton’s 2016 campaign chairman.