Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/13/2019
03:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Ex-US Intel Officer Charged with Helping Iran Target Her Former Colleagues

Monica Witt, former Air Force and counterintel agent, has been indicted for conspiracy activities with Iranian government, hackers.

A former US Air Force intelligence specialist and counterintelligence agent with the Defense Department has been indicted for conspiring to provide national defense information to four Iranian nationals acting on behalf of the Iranian Revolutionary Guard Corps (IRGC). 

Monica Elfriede Witt, 39, was charged with helping the Iranian nationals target her former US intel agent colleagues via social engineering and spear-phishing attacks that aimed to install backdoor malware on their systems. The four Iranian nationals - Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar, and Mohamad Paryar - were charged with conspiracy and related hacking and identity theft offenses for cyberattack campaigns in 2014 and 2015 against Witt's former co-workers.

Witt, who defected to Iran in 2013, remains at large, as do Masoumpour, Mesri, Parvar, and Paryar. She also faces charges for allegedly providing the Iranians with information on a classified DoD mission.

Meanwhile, the US Treasury Department issued sanctions today against two Iranian organizations associated with the case, including an Iranian company behind the malware used in the attacks on the US agents.

"The charges unsealed today are the result of years of investigative work by the FBI to uncover Monica Witt's betrayal of the oath she swore to safeguard America's intelligence and defense secrets," said Jay Tabb, FBI Executive Assistant Director for National Security, in a statement. "This case also highlights the FBI's commitment to disrupting those who engage in malicious cyber activity to undermine our country's national security. The FBI is grateful to the Department of Treasury and the United States Air Force for their continued partnership and assistance in this case."

Facebook and 'Target Packages'
According to the indictment, Witt provided the Iranian nationals with "target packages" to help them social-engineer her former colleagues via phony Facebook and email accounts that tried to lure the victims to click on malicious links or file attachments. In one case, the attackers built a phony Facebook profile and account using the name, information, and real photos from a legitimate US intel agent's account. They then leveraged that account to target other agents where Witt once worked.

Social media targeting has long been a popular attack tool of Iranian cyber espionage groups. In 2017, researchers at SecureWorks detailed an elaborate attack campaign out of Iran that featured "Mia Ash," the online persona used by the infamous Iran-based hacker team behind the destructive data-wiping attack on Saudi Aramco as well as other Middle East targets.

The highly detailed and creative social engineering ruse employed Mia - a young, London-based professional photographer who's also an Arsenal FC fan - as the lure on Facebook, LinkedIn, and blog accounts in order to ultimately drop information-stealing spy malware onto the victim's machine. 

Another recently identified Iranian hacking team, dubbed APT39 by FireEye, has been spotted going after telecommunications and travel industry firms in order to drill down more deeply on the comings and goings of its cyber espionage targets. APT39 takes a more "personal" touch of getting information on individuals and tries to camoflauge its activities: running an altered version of Mimikatz that bypasses anti-malware tools, for example. 

John Hultquist, director of intelligence analysis for FireEye, says while his firm hasn't identified the attacks involving Witt, his team sees Iranian hackers regularly employ social media lures.

"Some of these operations have been very compelling, and we have seen connections to flag officers and ambassadors as well as people working in classified spaces," he says. "However, these operations have never been perfect, and they have often been exposed by cultural blunders and a failure to understand targets. They have been found on many different platforms, including Facebook, LinkedIn, Twitter, YouTube, and even Pinterest."

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.
CVE-2020-11696
PUBLISHED: 2020-06-05
In Combodo iTop a menu shortcut name can be exploited with a stored XSS payload. This is fixed in all iTop packages (community, essential, professional) in version 2.7.0 and iTop essential and iTop professional in version 2.6.4.
CVE-2020-11697
PUBLISHED: 2020-06-05
In Combodo iTop, dashboard ids can be exploited with a reflective XSS payload. This is fixed in all iTop packages (community, essential, professional) for version 2.7.0 and in iTop essential and iTop professional packages for version 2.6.4.
CVE-2020-13646
PUBLISHED: 2020-06-05
In the cheetah free wifi 5.1 driver file liebaonat.sys, local users are allowed to cause a denial of service (BSOD) or other unknown impact due to failure to verify the value of a specific IOCTL.