A former US Air Force intelligence specialist and counterintelligence agent with the Defense Department has been indicted for conspiring to provide national defense information to four Iranian nationals acting on behalf of the Iranian Revolutionary Guard Corps (IRGC).
Monica Elfriede Witt, 39, was charged with helping the Iranian nationals target her former US intel agent colleagues via social engineering and spear-phishing attacks that aimed to install backdoor malware on their systems. The four Iranian nationals - Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar, and Mohamad Paryar - were charged with conspiracy and related hacking and identity theft offenses for cyberattack campaigns in 2014 and 2015 against Witt's former co-workers.
Witt, who defected to Iran in 2013, remains at large, as do Masoumpour, Mesri, Parvar, and Paryar. She also faces charges for allegedly providing the Iranians with information on a classified DoD mission.
Meanwhile, the US Treasury Department issued sanctions today against two Iranian organizations associated with the case, including an Iranian company behind the malware used in the attacks on the US agents.
"The charges unsealed today are the result of years of investigative work by the FBI to uncover Monica Witt's betrayal of the oath she swore to safeguard America's intelligence and defense secrets," said Jay Tabb, FBI Executive Assistant Director for National Security, in a statement. "This case also highlights the FBI's commitment to disrupting those who engage in malicious cyber activity to undermine our country's national security. The FBI is grateful to the Department of Treasury and the United States Air Force for their continued partnership and assistance in this case."
Facebook and 'Target Packages'
According to the indictment, Witt provided the Iranian nationals with "target packages" to help them social-engineer her former colleagues via phony Facebook and email accounts that tried to lure the victims to click on malicious links or file attachments. In one case, the attackers built a phony Facebook profile and account using the name, information, and real photos from a legitimate US intel agent's account. They then leveraged that account to target other agents where Witt once worked.
Social media targeting has long been a popular attack tool of Iranian cyber espionage groups. In 2017, researchers at SecureWorks detailed an elaborate attack campaign out of Iran that featured "Mia Ash," the online persona used by the infamous Iran-based hacker team behind the destructive data-wiping attack on Saudi Aramco as well as other Middle East targets.
The highly detailed and creative social engineering ruse employed Mia - a young, London-based professional photographer who's also an Arsenal FC fan - as the lure on Facebook, LinkedIn, and blog accounts in order to ultimately drop information-stealing spy malware onto the victim's machine.
Another recently identified Iranian hacking team, dubbed APT39 by FireEye, has been spotted going after telecommunications and travel industry firms in order to drill down more deeply on the comings and goings of its cyber espionage targets. APT39 takes a more "personal" touch of getting information on individuals and tries to camoflauge its activities: running an altered version of Mimikatz that bypasses anti-malware tools, for example.
John Hultquist, director of intelligence analysis for FireEye, says while his firm hasn't identified the attacks involving Witt, his team sees Iranian hackers regularly employ social media lures.
"Some of these operations have been very compelling, and we have seen connections to flag officers and ambassadors as well as people working in classified spaces," he says. "However, these operations have never been perfect, and they have often been exposed by cultural blunders and a failure to understand targets. They have been found on many different platforms, including Facebook, LinkedIn, Twitter, YouTube, and even Pinterest."
- New Hacker Group Behind 'DNSpionage' Attacks in Middle East
- Iranian Hacker Group Waging Widespread Espionage Campaign in Middle East
- 'Chafer' Uses Open Source Tools to Target Iran's Enemies
- Iran Ups its Traditional Cyber Espionage Tradecraft
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.