Former US Air Force Counterintelligence Agent Charged With Espionage on Behalf of Iran

Good grief–a AFOSI Special Agent defected to Iran???

(DOJ) Monica Elfriede Witt, 39, a former U.S. service member and counterintelligence agent, has been indicted by a federal grand jury in the District of Columbia for conspiracy to deliver and delivering national defense information to representatives of the Iranian government.

Witt, who defected to Iran in 2013, is alleged to have assisted Iranian intelligence services in targeting her former fellow agents in the U.S. Intelligence Community (USIC).

Witt is also alleged to have disclosed the code name and classified mission of a U.S. Department of Defense Special Access Program.

An arrest warrant has been issued for Witt, who remains at large.

The same indictment charges four Iranian nationals, Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar and Mohamad Paryar (the “Cyber Conspirators”), with conspiracy, attempts to commit computer intrusion and aggravated identity theft, for conduct in 2014 and 2015 targeting former co-workers and colleagues of Witt in the U.S. Intelligence Community.

The Cyber Conspirators, using fictional and imposter social media accounts and working on behalf of the Iranian Revolutionary Guard Corps (IRGC), sought to deploy malware that would provide them covert access to the targets’ computers and networks.

Arrest warrants have been issued for the Cyber Conspirators, who also remain at large.

The announcement was made by

  • Assistant Attorney General for National Security John Demers,
  • U.S. Attorney Jessie K. Liu for the District of Columbia,
  • Executive Assistant Director for National Security Jay Tabb of the FBI,
  • U.S. Treasury Secretary Steven Mnuchin,
  • Special Agent Terry Phillips of the Air Force Office of Special Investigations, and
  • Assistant Director in Charge Nancy McNamara of the FBI’s Washington Field Office.

“Monica Witt is charged with revealing to the Iranian regime a highly classified intelligence program and the identity of a U.S. Intelligence Officer, all in violation of the law, her solemn oath to protect and defend our country, and the bounds of human decency. Four Iranian cyber hackers are also charged with various computer crimes targeting members of the U.S. intelligence community who were Ms. Witt’s former colleagues. This case underscores the dangers to our intelligence professionals and the lengths our adversaries will go to identify them, expose them, target them, and, in a few rare cases, ultimately turn them against the nation they swore to protect. When our intelligence professionals are targeted or betrayed, the National Security Division will relentlessly pursue justice against the wrong-doers.”—Assistant Attorney General Demers

“This case reflects our firm resolve to hold accountable any individual who betrays the public trust by compromising our national security. Today’s announcement also highlights our commitment to vigorously pursue those who threaten U.S. security through state-sponsored hacking campaigns.”—U.S. Attorney Liu

“The charges unsealed today are the result of years of investigative work by the FBI to uncover Monica Witt’s betrayal of the oath she swore to safeguard America’s intelligence and defense secrets. This case also highlights the FBI’s commitment to disrupting those who engage in malicious cyber activity to undermine our country’s national security. The FBI is grateful to the Department of Treasury and the United States Air Force for their continued partnership and assistance in this case.”—Executive Assistant Director for National Security Tabb

“Treasury is taking action against malicious Iranian cyber actors and covert operations that have targeted Americans at home and overseas as part of our ongoing efforts to counter the Iranian regime’s cyber-attacks. Treasury is sanctioning New Horizon Organization for its support to the IRGC-QF. New Horizon hosts international conferences that have provided Iranian intelligence officers a platform to recruit and collect damaging information from attendees, while propagating anti-Semitism and Holocaust denial. We are also sanctioning an Iran-based company that has attempted to install malware to compromise the computers of U.S. personnel.”—Treasury Secretary Steven Mnuchin

“The alleged actions of Monica Witt in assisting a hostile nation are a betrayal of our nation’s security, our military, and the American people. While violations like this are extremely rare, her actions as alleged are an affront to all who have served our great nation.”—Special Agent Phillips

“This investigation exemplifies the tireless work the agents and analysts of the FBI do each and every day to bring a complex case like this to fruition. Witt’s betrayal of her country and the actions of the cyber criminals – at the behest of the IRGC – could have brought serious damage to the United States, and we will not stand by and allow that to happen. The efforts by the Iranian government to target and harm the U.S. will not be taken lightly, and the FBI will continue our work to hold those individuals or groups accountable for their actions.”—Assistant Director in Charge McNamara

According to the allegations contained in the indictment unsealed today:

Monica Witt’s Espionage

Monica Witt, a U.S. citizen, was an active duty U.S. Air Force Intelligence Specialist and Special Agent of the Air Force Office of Special Investigations, who entered on duty in 1997 and left the U.S. government in 2008.

Monica Witt separated from the Air Force in 2008 and ended work with DOD as a contractor in 2010.

During her tenure with the U.S. government, Witt was granted high-level security clearances and was deployed overseas to conduct classified counterintelligence missions.

In Feb. 2012, Witt traveled to Iran to attend the Iranian New Horizon Organization’s “Hollywoodism” conference, an IRGC-sponsored event aimed at, among other things, condemning American moral standards and promoting anti-U.S. propaganda.

Through subsequent interactions and communications with a dual United States-Iranian citizen referred to in the indictment as Individual A, Witt successfully arranged to re-enter Iran in Aug. 2013.

Thereafter, Iranian government officials provided Witt with a housing and computer equipment.

She went on to disclose U.S. classified information to the Iranian government official.

As part of her work on behalf of the Iranian government, she conducted research about USIC personnel that she had known and worked with, and used that information to draft “target packages” against these U.S. agents.

Iranian Hacking Efforts Targeting Witt’s Former Colleagues

Beginning in late 2014, the Cyber Conspirators began a malicious campaign targeting Witt’s former co-workers and colleagues.

Specifically, Mesri registered and helped manage an Iranian company, the identity of which is known to the United States, which conducted computer intrusions against targets inside and outside the United States on behalf of the IRGC.

Using computer and online infrastructure, in some cases procured by Mesri, the conspiracy tested its malware and gathered information from target computers or networks, and sent spearphishing messages to its targets.

Specifically, between Jan. and May 2015, the Cyber Conspirators, using fictitious and imposter accounts, attempted to trick their targets into clicking links or opening files that would allow the conspirators to deploy malware on the target’s computer.

In one such instance, the Cyber Conspirators created a Facebook account that purported to belong to a USIC employee and former colleague of Witt, and which utilized legitimate information and photos from the USIC employee’s actual Facebook account. This particular fake account caused several of Witt’s former colleagues to accept “friend” requests.

* * *

The case is being investigated by the FBI’s Washington Field Office with assistance from the Air Force Office of Special Investigations. The prosecution is being handled by Assistant U.S. Attorneys Deborah Curtis, Jocelyn Ballantine and Luke Jones of the U.S. Attorney’s Office for the District of Columbia with assistance from Trial Attorney Evan N. Turgeon of the National Security Division’s Counterintelligence and Export Control Section.

Monica Witt Indictment (PDF)

FBI Wanted Poster

Born: April 8, 1979 in El Paso, TX

From the affidavit:

  • Held TS/SCI clearance throughout Air Force and contractor career
  • Access to HUMINT containing true names of intel sources and clandestine agents of the Intel Community
  • Feb 1998-April 1999: Assigned to US Defense Language Institute in Monterey, CA; trained in Persian Farsi
  • May 1999-Nov 2003: Deployed to several overseas locations to conduct classified SIGINT ops
  • Nov 2003-March 2008: Assigned as AFOSI criminal investigator and counterintelligence officer
  • In AFOSI, granted access to SAP regarding ongoing CI ops, true names of sources, identities of US intel officers involved in recruitment of sources
  • March 2008-Aug 2010: Employed as US government contractor. Acted as AFOSI desk officer for SAP
  • Signed around 15 non-disclosure, secrecy agreements throughout career
  • After she defected, she and the Iranians targeted:
    • 2 co-workers who worked with her in the SAP
    • 2 co-workers who worked with her elsewhere in the Air Force
    • 2 co-workers who were deployed in the Middle East with Witt
    • 1 leader while Witt was in the Air Force
    • 1 person who attended training with Witt while in the Air Force
  • Traveled to Iran, identified herself as a US military veteran who desired to defect to Iran
  • Made efforts to provide bona fides to IRGC to show she was willing to disclose classified info
  • Conducted research to create targeting packages against US CI agents
  • Disclosed classified info to Iranian government

Timeline:

  • Feb 2012: traveled to Iran to attend the Iranian New Horizon Organization’s “Hollywoodism” conference, an IRGC-sponsored event aimed at, among other things, condemning American moral standards and promoting anti-U.S. propaganda.
  • Feb 2012: appeared in an Iranian/IRGC video where she was identified as a US military veteran; made statements critical to US government. Video was broadcast on Iranian TV including a ceremony where she converted to Islam
  • May 2012: FBI warned her she was a target for recruitment by the Iranian intel services. She told them that if she ever returned to Iran, she would refuse to provide any info about her classified work
  • June 2012: Iranian individual traveled to US and hired her to work as her assistant in connection with the filming of an anti-American propaganda film later aired in Iran
  • June 2012-August 2013: Communicated regularly with Iranian citizen that she worked as an assistant for
  • Oct 2012: Witt said to Iranian citizen she was endeavoring to put the training she received in the US Air Force “to good use instead of evil.”
  • Feb 2013: Traveled to Iran again to attend another “Hollywoodism” conference
  • Feb 2013: Met with IRGC members; told them she was a veteran who was critical of US military and desired to emigrate to Iran
  • Feb 2013: Appeared in more videos where she made statements that were critical of US government
  • 23 June 2013: Witt told Iranian citizen, “If all else fails, I just may go public with a program and do like Snowden.”
  • 30 June 2013: Witt told him she had gone to Iranian embassy in Kabul, Afghanistan and “told all”. The embassy said they would get back to her if they can help her before she leaves. She told them she was down to little choices and would be traveling to other areas to request assistance.
  • 1 July 2013: Iranian citizen to Witt he was talking to people “until 2 in the morning about your case. He had several different channels working on it. One of them was suspicious of her because she had no money and was going from country to country. Witt replied “no matter what, they are just going to be suspicious, right? I just hope I have better luck with Russia at this point. I am starting to get frustrated at the level of Iranian suspicion.”
  • 3 July 2013: Witt told Iranian citizen she thinks she can slip into Russia quietly if they help her and then she can contact Wikileaks from there without disclosing her location
  • 30 July 2013: Iranian citizen told Witt to call an Iranian ambassador
  • 31 July 2013: Witt said Iranians are giving her money to head to Dubai to wait for approval there from the embassy
  • 12 Aug 2013: Iranian citizen told Witt he is looking into Turkey for asylum, but she was nervous because it is an extradition country
  • 25 Aug 2013: Witt sends Iranian citizen her bio and job history, a conversion narrative, chronological listing of her work history, copy of her DD214. Iranian forwards this email to someone in Iran
  • July 2013-Aug 2013: Witt does multiple searches on Facebook for names of her fellow CI agents
  • 28 Aug 2013: Witt tells Iranian citizen she is boarding flight from Dubai to Terhan and that she is “coming home”
  • 28 Aug 2013: Witt defects to Iran; discloses SAP to Iranian government officials
  • Jan 2014-May 2015: Witt conducts multiple Facebook searches for US Govt agents using fake Facebook accounts; creates target packages against US govt agents, including US counterintelligence officers; discloses name of US agent conducting CI activities against an Iranian target

Four Iranian Cyber Conspirators:

  • Used malware to capture a target’s keystrokes, access a computers web camera and monitor other computer activity
  • Used fictitious and imposter personas to deceive their targets in their communications
  • Used names of true persons, including US Government agents and persons affiliated with them, to entice targets to engage with conspirators
  • After engaging, conspirators sent links and attachments to current and former US counterintelligence agents designed to deploy malware and establish cover, persistent access to computers and networks
  • Conspirators, using a fictitious Facebook account, sent a friend request to a US government Agent 1 deployed to Kabul as part of a CENTCOM Joint Intelligence Unit. Agent 1 accessed Facebook through a DOD server on a US Government computer. Agent 1 accepted friend request. Agent 1 also accessed Facebook using personal devices connected via wireless services hosted by DOD.
  • Conspirators emailed Agent 1 an invitation card which, if the Agent clicked on it, would have taken Agent 1 to servers controlled by conspirators. Invitation card had tracking software to tell that Agent 1 opened email via a DOD computer network located in Kabul.
  • Conspirators emailed Agent 1 another email trying to get Agent to click on links
  • Conspirators created an imposter Facebook account under the true name of female US Government Agent 3. Took information and photos from Agent 3’s legitimate Facebook account to create the imposter account.
  • Conspirators sent a friend request from imposter Agent 3 Facebook account to Agent 1, who accepted the friend request
  • Same day, this imposter Agent 3 Facebook account sent Agent 1 an email with an attachment that appeared to be a .JPG image but was in fact a .zip file containing malware. Agent 1 did not click on it.
  • Later, imposter Agent 3 Facebook account sent a friend request to Agent 4, who accepted the request. Later imposter account emailed Agent 4 asking for help opening a photo album. Agent 4 learned that the imposter account was not legitimate and unfriended the account
  • US Govt Agent 5 had friended imposter account and vouched for imposter account to join a private Facebook group composted primarily of US Gov Agents.
  • Imposter account emailed Agents 2, 6, 7 and 8 with a link that appeared to be associated with an international news outlet asking if the article was about the recipient. If clicked, link would have directed recipients to page controlled by conspirators.
  • Conspirators designed fake email that appeared to come from US Govt Agent 7 with Agent’s name followed by legitimate US military domain name
  • Conspirators sent out another fake email appearing it came from Facebook with subject line of Reset Password


Assistant Attorney General for National Security John C. Demers Delivers Remarks on the Unsealing of United States v. Monica Witt, et al.
Washington, DC ~ Wednesday, February 13, 2019

Good morning.

Today, we announce that a federal grand jury in the District of Columbia has indicted a former U.S. Air Force counterintelligence officer, Monica Witt, for espionage on behalf of the Government of Iran. It further charges four Iranians, acting on behalf of the Iranian Revolutionary Guard Corps (IRGC), with attempting malign computer intrusions and aggravated identity theft targeting members of the U.S. intelligence community who were former colleagues of Monica Witt.

It is a sad day for America when one of its citizens betrays our country. It is sadder still when this person, as a member of the American armed forces, previously invoked the aid of God to bear true faith and allegiance to the Constitution of the United States and to defend her country against foreign enemies. Monica Witt is alleged to have done just this.

My colleagues, Jessie Liu, the U.S. Attorney for the District of Columbia, and Jay Tabb, the FBI Executive Assistant Director for National Security, will explain the charges against the defendants in greater detail. Andrea Gacki, Director of the Office of Foreign Assets Controls, will announce certain related Treasury Department actions, and Terry Phillips of the US. Air Force will make a brief statement on behalf of the Office of Special Investigations, where Ms. Witt worked.

From the perspective of the National Security Division, this indictment stands at the confluence of two streams of our national security cases. The first charging Iran and other foreign adversaries with engaging in malign cyber activity. Whether by disrupting the internet through DDOS attacks, stealing intellectual property, or hacking and dumping emails, Iran and others continue to use cyber tools against the United States.

The second stream involves former members of the intelligence community charged with, and in the case of Kevin Mallory, convicted of, espionage. The case unsealed today underscores the dangers to our intelligence professionals and the lengths our adversaries will go to identify them, expose them, target them, and, in a few rare cases, ultimately turn them against the nation they swore to protect. Espionage by past or present members of the intelligence community poses a significant threat to our country and a heightened danger to their former colleagues.

Ms. Witt was recruited by Iran as part of a program that targets former intelligence officers and others who have held security clearances. Following her defection to Iran in 2013, she is alleged to have revealed to the Iranian government the existence of a highly classified intelligence collection program and the true identity of a U.S. intelligence officer, thereby risking the life of this individual. In addition, she is alleged to have conspired with the Government of Iran to research, in some instances through social media, and create target packages – documents that enabled the Government of Iran to identify, track, and neutralize U.S. counterintelligence agents. The other four defendants in this indictment, Iranian hackers working on behalf of the IRGC, targeted, through social media and other cyber-enabled means, at least eight U.S. government agents, all of whom at one time worked or interacted with Monica Witt.

Our intelligence professionals swear an oath to protect our country, and we trust them to uphold that oath. With good reason. These brave women and men give us their all. But every great while, one of these trusted people fails us. When this happens, the National Security Division will relentlessly pursue justice against them no matter where they are. We will do so to protect this country. We will do so to protect their colleagues. And we will do so to protect all of us.

I will now turn the microphone over to U.S. Attorney, Jessie Liu.

Testimonials
CI/SECURITY ARTICLES
Threats are Out There