Threat Intelligence

2/13/2019
03:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Ex-US Intel Officer Charged with Helping Iran Target Her Former Colleagues

Monica Witt, former Air Force and counterintel agent, has been indicted for conspiracy activities with Iranian government, hackers.

A former US Air Force intelligence specialist and counterintelligence agent with the Defense Department has been indicted for conspiring to provide national defense information to four Iranian nationals acting on behalf of the Iranian Revolutionary Guard Corps (IRGC). 

Monica Elfriede Witt, 39, was charged with helping the Iranian nationals target her former US intel agent colleagues via social engineering and spear-phishing attacks that aimed to install backdoor malware on their systems. The four Iranian nationals - Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar, and Mohamad Paryar - were charged with conspiracy and related hacking and identity theft offenses for cyberattack campaigns in 2014 and 2015 against Witt's former co-workers.

Witt, who defected to Iran in 2013, remains at large, as do Masoumpour, Mesri, Parvar, and Paryar. She also faces charges for allegedly providing the Iranians with information on a classified DoD mission.

Meanwhile, the US Treasury Department issued sanctions today against two Iranian organizations associated with the case, including an Iranian company behind the malware used in the attacks on the US agents.

"The charges unsealed today are the result of years of investigative work by the FBI to uncover Monica Witt's betrayal of the oath she swore to safeguard America's intelligence and defense secrets," said Jay Tabb, FBI Executive Assistant Director for National Security, in a statement. "This case also highlights the FBI's commitment to disrupting those who engage in malicious cyber activity to undermine our country's national security. The FBI is grateful to the Department of Treasury and the United States Air Force for their continued partnership and assistance in this case."

Facebook and 'Target Packages'
According to the indictment, Witt provided the Iranian nationals with "target packages" to help them social-engineer her former colleagues via phony Facebook and email accounts that tried to lure the victims to click on malicious links or file attachments. In one case, the attackers built a phony Facebook profile and account using the name, information, and real photos from a legitimate US intel agent's account. They then leveraged that account to target other agents where Witt once worked.

Social media targeting has long been a popular attack tool of Iranian cyber espionage groups. In 2017, researchers at SecureWorks detailed an elaborate attack campaign out of Iran that featured "Mia Ash," the online persona used by the infamous Iran-based hacker team behind the destructive data-wiping attack on Saudi Aramco as well as other Middle East targets.

The highly detailed and creative social engineering ruse employed Mia - a young, London-based professional photographer who's also an Arsenal FC fan - as the lure on Facebook, LinkedIn, and blog accounts in order to ultimately drop information-stealing spy malware onto the victim's machine. 

Another recently identified Iranian hacking team, dubbed APT39 by FireEye, has been spotted going after telecommunications and travel industry firms in order to drill down more deeply on the comings and goings of its cyber espionage targets. APT39 takes a more "personal" touch of getting information on individuals and tries to camoflauge its activities: running an altered version of Mimikatz that bypasses anti-malware tools, for example. 

John Hultquist, director of intelligence analysis for FireEye, says while his firm hasn't identified the attacks involving Witt, his team sees Iranian hackers regularly employ social media lures.

"Some of these operations have been very compelling, and we have seen connections to flag officers and ambassadors as well as people working in classified spaces," he says. "However, these operations have never been perfect, and they have often been exposed by cultural blunders and a failure to understand targets. They have been found on many different platforms, including Facebook, LinkedIn, Twitter, YouTube, and even Pinterest."

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10091
PUBLISHED: 2019-03-21
AudioCodes IP phone 420HD devices using firmware version 2.2.12.126 allow XSS.
CVE-2018-10093
PUBLISHED: 2019-03-21
AudioCodes IP phone 420HD devices using firmware version 2.2.12.126 allow Remote Code Execution.
CVE-2017-2659
PUBLISHED: 2019-03-21
It was found that dropbear before version 2013.59 with GSSAPI leaks whether given username is valid or invalid. When an invalid username is given, the GSSAPI authentication failure was incorrectly counted towards the maximum allowed number of password attempts.
CVE-2017-16231
PUBLISHED: 2019-03-21
** DISPUTED ** In PCRE 8.41, after compiling, a pcretest load test PoC produces a crash overflow in the function match() in pcre_exec.c because of a self-recursive call. NOTE: third parties dispute the relevance of this report, noting that there are options that can be used to limit the amount of st...
CVE-2017-16232
PUBLISHED: 2019-03-21
** DISPUTED ** LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue.