In 2019, an indictment of Iranian hackers targeting American government officials barely raises an eyebrow. But in one remarkable case, those hackers had an unusual advantage: the alleged help of an American defector with a top secret clearance.
On Wednesday, the Department of Justice announced charges against Monica Elfriede Witt, a former Air Force counterintelligence officer who, the indictment claims, was recruited by the Iranian government to spill highly classified information, some of which was then used by Iranian hackers—four of whom are also charged—to target Witt's former US government colleagues. The charges represent a rare defection of an American military officer to become an active participant in another country's espionage operations.
Witt allegedly helped exposed the identity of an active US agent, as well as the code name and classified details of a secret US counterintelligence operation, all in service of Iran.
"The case unsealed today underscores the dangers to our intelligence professionals, and the lengths our adversaries will go to identify them, expose them, target them, and in a few rare cases ultimately turn them against the nation they swore to protect," assistant attorney general John Demers said in a press conference. "Espionage by past or current members of the intelligence community poses a threat to our country, and a heightened danger to their former colleagues."
The indictment against Witt tells the story of an American former military officer and contractor slowly drawn into Iran's influence over the course of several years. Finally, in 2014 and 2015, she allegedly became an active participant in Iranian espionage operations, helping the four hackers named in the indictment—Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar, and Mohamad Paryar—to hone honeypot attacks via email and social media phishing that targeted eight of her former colleagues.
Witt spent a decade as an Air Force intelligence specialist, and then two years working for a contractor left unnamed in the indictment. Afterward, in early 2012, Witt allegedly traveled to Iran to attend an all-expenses-paid "Hollywoodism" conference held by an Iranian group known as New Horizons, which the Justice Department describes as focused on anti-American propaganda, including anti-semitism and Holocaust denial. According to the organization's website, its conferences focus on topics including "Muslims in Europe, Islamophobia, Iranophobia, Discriminations, US State hostility towards Afro-Americans, Zionist Lobby," and "911." Around the same time, the indictment says, Witt appeared in videos broadcast on Iranian TV criticizing the US government and converting to Islam.
Three months later, the FBI says it warned Witt she was a target for Iranian recruitment. Just weeks after that warning, she was hired by an Iranian-American based in Tehran—whom the indictment labels "Individual A"—to work on a film the indictment describes as a documentary with an anti-American bent. The following year, Witt attended the "Hollywoodism" conference again. The Treasury Department joined in Wednesday's press conference to announce new sanctions against New Horizons, as well as an unnamed private firm that employed the hackers she aided.
The indictment details messages Witt allegedly sent to Individual A documenting her transition. "I am endeavoring to put the training I received to good use instead of evil," she wrote, adding a smiling emoji. "Thanks for giving me the opportunity."
They allegedly created a persona named Bella Wood, in an attempt to trick US agents into installing malware.
After her second trip to the New Horizons conference in 2013, Witt allegedly began telling her Iranian-American contact that she was ready to defect, or, as she described it in messages included in the indictment, become a WikiLeaks-style whistleblower. "If all else fails, I may just go public with a program and do like Snowden :)," she wrote. A week later, she allegedly told Individual A she had "told all" to representatives in the Iranian embassy in Kabul, Afghanistan. Not long after that, apparently frustrated with the suspicion and lack of action from the Iranians, she described a plan to "slip into Russia quietly" and contact WikiLeaks.
Ultimately, it appears that Individual A did help Witt arrange a meeting with Iranian officials in Dubai, and finally defect to Tehran.
Once she'd settled in Iran, Witt worked actively for the Iranian government, the indictment charges, telling them classified details of a sensitive "special access project"—only elliptically described in the indictment—and its specific target. Over the next two years, she allegedly helped search Facebook for details of US agents she had previously worked with, assembled "target packages" that provided profiles of the agents for Iranian hackers, and sharing even the name of one active agent in a compromising position, endangering that agent's life, according to assistant attorney general Demers.
The Iranian hackers, according to the indictment, used Witt's target profiles to send phishing emails and social media messages to her former colleagues, including one based in Afghanistan. They allegedly created a persona named Bella Wood, in an attempt to trick US agents into installing malware that would monitor their computer activities, steal passwords, and access their webcam.
"I'll send you a file including my photos but u should deactivate your antivirus to open it," one email from the Bella Wood character read. "I hope you enjoy the photos I designed for the new year, they should opened in your computer honey." In other cases, the hackers sent links spoofing news stories at sites they controlled, as well as fake password reset pages in an attempt to steal Facebook passwords, though it's not clear if any of the intended victims fell for those ruses.
The FBI’s wanted poster for Witt states only that she may be in Southwest Asia—hardly a promising sign that she’ll ever be arrested by American authorities. But as in the growing stack of cases where the US Department of Justice indicts foreign hackers and spies, the FBI and Justice Department says they intend the charges to telegraph a message to anyone who might attempt to follow in her or her handlers’ footsteps.
“Today should serve as a warning to those who seek out our current and former national security personnel for the sensitive information they have, and to those individuals themselves,” said FBI executive assistant director Jay Tabb in Wednesday’s press conference. “Unlike Witt, we take the oaths we swear seriously, and we will continue to pursue those who do not.”