Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/13/2019
03:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Ex-US Intel Officer Charged with Helping Iran Target Her Former Colleagues

Monica Witt, former Air Force and counterintel agent, has been indicted for conspiracy activities with Iranian government, hackers.

A former US Air Force intelligence specialist and counterintelligence agent with the Defense Department has been indicted for conspiring to provide national defense information to four Iranian nationals acting on behalf of the Iranian Revolutionary Guard Corps (IRGC). 

Monica Elfriede Witt, 39, was charged with helping the Iranian nationals target her former US intel agent colleagues via social engineering and spear-phishing attacks that aimed to install backdoor malware on their systems. The four Iranian nationals - Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar, and Mohamad Paryar - were charged with conspiracy and related hacking and identity theft offenses for cyberattack campaigns in 2014 and 2015 against Witt's former co-workers.

Witt, who defected to Iran in 2013, remains at large, as do Masoumpour, Mesri, Parvar, and Paryar. She also faces charges for allegedly providing the Iranians with information on a classified DoD mission.

Meanwhile, the US Treasury Department issued sanctions today against two Iranian organizations associated with the case, including an Iranian company behind the malware used in the attacks on the US agents.

"The charges unsealed today are the result of years of investigative work by the FBI to uncover Monica Witt's betrayal of the oath she swore to safeguard America's intelligence and defense secrets," said Jay Tabb, FBI Executive Assistant Director for National Security, in a statement. "This case also highlights the FBI's commitment to disrupting those who engage in malicious cyber activity to undermine our country's national security. The FBI is grateful to the Department of Treasury and the United States Air Force for their continued partnership and assistance in this case."

Facebook and 'Target Packages'
According to the indictment, Witt provided the Iranian nationals with "target packages" to help them social-engineer her former colleagues via phony Facebook and email accounts that tried to lure the victims to click on malicious links or file attachments. In one case, the attackers built a phony Facebook profile and account using the name, information, and real photos from a legitimate US intel agent's account. They then leveraged that account to target other agents where Witt once worked.

Social media targeting has long been a popular attack tool of Iranian cyber espionage groups. In 2017, researchers at SecureWorks detailed an elaborate attack campaign out of Iran that featured "Mia Ash," the online persona used by the infamous Iran-based hacker team behind the destructive data-wiping attack on Saudi Aramco as well as other Middle East targets.

The highly detailed and creative social engineering ruse employed Mia - a young, London-based professional photographer who's also an Arsenal FC fan - as the lure on Facebook, LinkedIn, and blog accounts in order to ultimately drop information-stealing spy malware onto the victim's machine. 

Another recently identified Iranian hacking team, dubbed APT39 by FireEye, has been spotted going after telecommunications and travel industry firms in order to drill down more deeply on the comings and goings of its cyber espionage targets. APT39 takes a more "personal" touch of getting information on individuals and tries to camoflauge its activities: running an altered version of Mimikatz that bypasses anti-malware tools, for example. 

John Hultquist, director of intelligence analysis for FireEye, says while his firm hasn't identified the attacks involving Witt, his team sees Iranian hackers regularly employ social media lures.

"Some of these operations have been very compelling, and we have seen connections to flag officers and ambassadors as well as people working in classified spaces," he says. "However, these operations have never been perfect, and they have often been exposed by cultural blunders and a failure to understand targets. They have been found on many different platforms, including Facebook, LinkedIn, Twitter, YouTube, and even Pinterest."

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5798
PUBLISHED: 2019-05-23
Lack of correct bounds checking in Skia in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
CVE-2019-5799
PUBLISHED: 2019-05-23
Incorrect inheritance of a new document's policy in Content Security Policy in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5800
PUBLISHED: 2019-05-23
Insufficient policy enforcement in Blink in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to bypass content security policy via a crafted HTML page.
CVE-2019-5801
PUBLISHED: 2019-05-23
Incorrect eliding of URLs in Omnibox in Google Chrome on iOS prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.
CVE-2019-5802
PUBLISHED: 2019-05-23
Incorrect handling of download origins in Navigation in Google Chrome prior to 73.0.3683.75 allowed a remote attacker to perform domain spoofing via a crafted HTML page.