Threat Intelligence

2/13/2019
03:50 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Ex-US Intel Officer Charged with Helping Iran Target Her Former Colleagues

Monica Witt, former Air Force and counterintel agent, has been indicted for conspiracy activities with Iranian government, hackers.

A former US Air Force intelligence specialist and counterintelligence agent with the Defense Department has been indicted for conspiring to provide national defense information to four Iranian nationals acting on behalf of the Iranian Revolutionary Guard Corps (IRGC). 

Monica Elfriede Witt, 39, was charged with helping the Iranian nationals target her former US intel agent colleagues via social engineering and spear-phishing attacks that aimed to install backdoor malware on their systems. The four Iranian nationals - Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar, and Mohamad Paryar - were charged with conspiracy and related hacking and identity theft offenses for cyberattack campaigns in 2014 and 2015 against Witt's former co-workers.

Witt, who defected to Iran in 2013, remains at large, as do Masoumpour, Mesri, Parvar, and Paryar. She also faces charges for allegedly providing the Iranians with information on a classified DoD mission.

Meanwhile, the US Treasury Department issued sanctions today against two Iranian organizations associated with the case, including an Iranian company behind the malware used in the attacks on the US agents.

"The charges unsealed today are the result of years of investigative work by the FBI to uncover Monica Witt's betrayal of the oath she swore to safeguard America's intelligence and defense secrets," said Jay Tabb, FBI Executive Assistant Director for National Security, in a statement. "This case also highlights the FBI's commitment to disrupting those who engage in malicious cyber activity to undermine our country's national security. The FBI is grateful to the Department of Treasury and the United States Air Force for their continued partnership and assistance in this case."

Facebook and 'Target Packages'
According to the indictment, Witt provided the Iranian nationals with "target packages" to help them social-engineer her former colleagues via phony Facebook and email accounts that tried to lure the victims to click on malicious links or file attachments. In one case, the attackers built a phony Facebook profile and account using the name, information, and real photos from a legitimate US intel agent's account. They then leveraged that account to target other agents where Witt once worked.

Social media targeting has long been a popular attack tool of Iranian cyber espionage groups. In 2017, researchers at SecureWorks detailed an elaborate attack campaign out of Iran that featured "Mia Ash," the online persona used by the infamous Iran-based hacker team behind the destructive data-wiping attack on Saudi Aramco as well as other Middle East targets.

The highly detailed and creative social engineering ruse employed Mia - a young, London-based professional photographer who's also an Arsenal FC fan - as the lure on Facebook, LinkedIn, and blog accounts in order to ultimately drop information-stealing spy malware onto the victim's machine. 

Another recently identified Iranian hacking team, dubbed APT39 by FireEye, has been spotted going after telecommunications and travel industry firms in order to drill down more deeply on the comings and goings of its cyber espionage targets. APT39 takes a more "personal" touch of getting information on individuals and tries to camoflauge its activities: running an altered version of Mimikatz that bypasses anti-malware tools, for example. 

John Hultquist, director of intelligence analysis for FireEye, says while his firm hasn't identified the attacks involving Witt, his team sees Iranian hackers regularly employ social media lures.

"Some of these operations have been very compelling, and we have seen connections to flag officers and ambassadors as well as people working in classified spaces," he says. "However, these operations have never been perfect, and they have often been exposed by cultural blunders and a failure to understand targets. They have been found on many different platforms, including Facebook, LinkedIn, Twitter, YouTube, and even Pinterest."

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7399
PUBLISHED: 2019-02-17
Amazon Fire OS before 5.3.6.4 allows a man-in-the-middle attack against HTTP requests for "Terms of Use" and Privacy pages.
CVE-2019-8392
PUBLISHED: 2019-02-17
An issue was discovered on D-Link DIR-823G devices with firmware 1.02B03. There is incorrect access control allowing remote attackers to enable Guest Wi-Fi via the SetWLanRadioSettings HNAP API to the web service provided by /bin/goahead.
CVE-2019-8394
PUBLISHED: 2019-02-17
Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10012 allows remote attackers to upload arbitrary files via login page customization.
CVE-2019-8395
PUBLISHED: 2019-02-17
An Insecure Direct Object Reference (IDOR) vulnerability exists in Zoho ManageEngine ServiceDesk Plus (SDP) before 10.0 build 10007 via an attachment to a request.
CVE-2019-8389
PUBLISHED: 2019-02-17
A file-read vulnerability was identified in the Wi-Fi transfer feature of Musicloud 1.6. By default, the application runs a transfer service on port 8080, accessible by everyone on the same Wi-Fi network. An attacker can send the POST parameters downfiles and cur-folder (with a crafted ../ payload) ...