US prosecutors on Wednesday announced the indictment of a former US counterintelligence agent on charges of helping Iran conduct cyberattacks on her former colleagues.
The legal eagles also charged four Iranian nationals said to have carried out related computer crimes.
Former US Air Force intelligence agent Monica Elfriede Witt, 39, defected to Iran in 2013, according to the Justice Department. She’s charged with providing Iranian intelligence with classified information and with helping to compile background research on US intelligence agents to facilitate online attacks against them.
The four Iranians named in the indictment – Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar and Mohamad Paryar – have been charged with conspiracy, attempted computer intrusion and aggravated identity theft for cyber attacks against Witt’s former colleagues and other US intelligence personnel in 2014 and 2015. The four are said to have worked on behalf of the Iranian Revolutionary Guard Corps (IRGC).
Arrest warrants have been issued for Witt and her alleged co-conspirators, who remain at large.
“This case underscores the dangers to our intelligence professionals and the lengths our adversaries will go to identify them, expose them, target them, and, in a few rare cases, ultimately turn them against the nation they swore to protect,” said Assistant Attorney General for National Security John Demers in a statement.
“When our intelligence professionals are targeted or betrayed, the National Security Division will relentlessly pursue justice against the wrong-doers.”
Breaking out the sanctions stick
In conjunction with the indictments, the US Treasury Department has announced sanctions again two organizations – New Horizon Organization and Net Peygard Samavat Company – and nine affiliated individuals for supporting spying operations against US intelligence personnel. The sanctions limit the ability of named organizations and individuals to conduct certain financial transactions.
Witt’s indictment describes her defection to Iran, her revelation of the name of a US operative conducting counterintelligence against an undisclosed target, and her efforts involving multiple fake accounts on Facebook to compile data on members of the US intelligence community for the benefit of Iranian operations.
The four Iranians named are said to have conducted spearphishing attacks to distribute malware that included keyloggers, webcam takeover code, and other surveillance applications. The links and attachments they allegedly sent were intended to hijack recipients’ devices.
What’s Farsi for ‘as subtle as a nuke through a window’? Foreign diplomats in Iran hit by renewed Remexi nasty
Among the attempted attack techniques, according to the indictment, was the creation of an imposter Facebook account using the photo of an intelligence agent from a legitimate Facebook account. The fake account was used to establish friend connections with actual intelligence agents and induce them to click on shared links with malicious files.
Through friend requests, the fake Facebook account managed to befriend several actual US intelligence agents. But beyond that, the indictment makes no mention of whether the attackers managed to compromise any targeted systems; the charges describe attempted but not successful computer crimes.
One message cited in the indictment, sent to induce a US intelligence agent to click on a malicious link, shows no sign of sophistication, at least in its text. It includes the sort of errant English found in common junk messages and makes a request that should set off alarm bells.
“I’ll send you a file including my photos but u should deactivate your your anti virus to open it because i designed my photos with a photo album software, I hope you enjoy the photos i designed for the new year, they should be opened in your computer honey.”
If such inept wording actually works, there’s hope the Justice Department could catch its fugitive defendants by messaging them about an inheritance fortune waiting for them in the US. ®