Monica Elfriede Witt, 39, a former U.S. service member and counterintelligence agent, has been indicted by a federal grand jury in the District of Columbia for conspiracy to deliver and delivering national defense information to representatives of the Iranian government. Witt, who defected to Iran in 2013, is alleged to have assisted Iranian intelligence services in targeting her former fellow agents in the U.S. Intelligence Community (USIC). Witt is also alleged to have disclosed the code name and classified mission of a U.S. Department of Defense Special Access Program. An arrest warrant has been issued for Witt, who remains at large.
The same indictment charges four Iranian nationals, Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar and Mohamad Paryar (the “Cyber Conspirators”), with conspiracy, attempts to commit computer intrusion and aggravated identity theft, for conduct in 2014 and 2015 targeting former co-workers and colleagues of Witt in the U.S. Intelligence Community. The Cyber Conspirators, using fictional and imposter social media accounts and working on behalf of the Iranian Revolutionary Guard Corps (IRGC), sought to deploy malware that would provide them covert access to the targets’ computers and networks. Arrest warrants have been issued for the Cyber Conspirators, who also remain at large.
“This case underscores the dangers to our intelligence professionals and the lengths our adversaries will go to identify them, expose them, target them, and, in a few rare cases, ultimately turn them against the nation they swore to protect,” said Assistant Attorney General John Demers. “When our intelligence professionals are targeted or betrayed, the National Security Division will relentlessly pursue justice against the wrong-doers.”
According to the allegations contained in the indictment unsealed today, Monica Witt, a U.S. citizen, was an active duty U.S. Air Force Intelligence Specialist and Special Agent of the Air Force Office of Special Investigations, who entered on duty in 1997 and left the U.S. government in 2008. Monica Witt separated from the Air Force in 2008 and ended work with DOD as a contractor in 2010. During her tenure with the U.S. government, Witt was granted high-level security clearances and was deployed overseas to conduct classified counterintelligence missions.
In Feb. 2012, Witt traveled to Iran to attend the Iranian New Horizon Organization’s “Hollywoodism” conference, an IRGC-sponsored event aimed at, among other things, condemning American moral standards and promoting anti-U.S. propaganda. Through subsequent interactions and communications with a dual United States-Iranian citizen referred to in the indictment as Individual A, Witt successfully arranged to re-enter Iran in Aug. 2013. Thereafter, Iranian government officials provided Witt with a housing and computer equipment. She went on to disclose U.S. classified information to the Iranian government official. As part of her work on behalf of the Iranian government, she conducted research about USIC personnel that she had known and worked with, and used that information to draft “target packages” against these U.S. agents.
Beginning in late 2014, the Cyber Conspirators began a malicious campaign targeting Witt’s former co-workers and colleagues. Specifically, Mesri registered and helped manage an Iranian company, the identity of which is known to the United States, which conducted computer intrusions against targets inside and outside the United States on behalf of the IRGC. Using computer and online infrastructure, in some cases procured by Mesri, the conspiracy tested its malware and gathered information from target computers or networks, and sent spearphishing messages to its targets. Specifically, between Jan. and May 2015, the Cyber Conspirators, using fictitious and imposter accounts, attempted to trick their targets into clicking links or opening files that would allow the conspirators to deploy malware on the target’s computer. In one such instance, the Cyber Conspirators created a Facebook account that purported to belong to a USIC employee and former colleague of Witt, and which utilized legitimate information and photos from the USIC employee’s actual Facebook account. This particular fake account caused several of Witt’s former colleagues to accept “friend” requests.