U.S. Air Force Intel Vet Monica Witt Is Accused of Being Iran’s Dumbest Spy
Monica Witt allegedly helped Iranian hackers set up honeypots. But she left a lot of breadcrumbs.
If there’s a silver lining to be found in Wednesday’s blockbuster indictment of a former U.S. Air Force intelligence officer who allegedly spied for Iran, it’s that the court papers detail how astonishingly bad Monica Witt was at espionage.
Witt allegedly visited Tehran in 2012 and 2013 for a conference sufficiently high-profile for the Anti-Defamation League to take note of its anti-semitism. She permitted herself to be broadcast on Iran’s propagandistic Press TV network and identified herself as a U.S. military veteran. She allegedly communicated with an Iranian who exhibited behavior the indictment calls “consistent with serving as a spotter and assessor on behalf of the Iranian intelligence services” over interceptable means like emails and texts. She was even warned by an FBI agent before her alleged 2013 defection that she was a “target for recruitment” by Iran.
For a trained counterintelligence specialist with the Air Force’s Office of Special Investigation, it’s notably sloppy work. And it had consequences. The indictment indicates that Witt’s digital fingerprints led to the exposure of a broader spy network “which operated in many ways like a typical business or organization” on behalf of the Islamic Revolutionary Guard Corps.
The spying effort is something the U.S. government has clearly monitored for some time. The Iranian spying outreach occurred in the first half of 2015. A grand jury has been empaneled on this case since July and the FBI put out a wanted poster for her on Wednesday.
The case borders on the bizarre, featuring honeypot enticements to U.S. government agents and references to Russia, Edward Snowden, and WikiLeaks.
But however poor or inexplicable Witt’s tradecraft may have been, the charges she faces are highly serious. Federal prosecutors in Washington, D.C., allege that Witt disclosed a code-named intelligence program to Iranian government officials, one that contained “details of ongoing counterintelligence operations, true names of sources, and the identities of U.S. agents involved in the recruitment of those sources.”
In one case, the indictment charges Witt with providing Iran with the “true name” of someone working on that code-named intelligence program. This colleague conducted “counterintelligence activities against a specific target,” the indictment alleges, likely something of interest to Iran. Several more of these sources fell for honeypot accounts that gave the Iranians greater access to their social network of American contacts.
All that represents a trove of information for an adversarial government. And it wasn’t all of what Witt is accused of providing. The indictment also alleges that shortly after her August 2013 defection to Iran, Witt gave the Iranians profile information on U.S. agents, including counterintelligence officers in the U.S. spy agencies–the sort of information can be used to suborn or pressure them into becoming witting or unwitting assets for Iranian intelligence, or to put their lives in jeopardy.
And around late 2014, the indictment alleges, Witt worked with four Iranian “cyber conspirators” ordered to infiltrate the social networks and computer systems of Witt’s former intelligence colleagues.
Witt is charged with conspiracy and two counts of delivering national defense information to representatives of a foreign government. The federal court docket does not indicate that Witt has legal representation in the U.S., and efforts to reach her family in Florida were unsuccessful.
The unsealing of the indictment against Witt comes weeks after federal agents detained an American-born PressTV anchor, Marzieh Hashemi, as a grand jury witness in an unnamed case in the same courthouse. It’s not clear if the two cases are related. An attorney for the Arab Anti-Discrimination Committee, which advocated for the release of Hashemi, said he did not handle those legal proceedings and could not comment. According to the Tehran Times, Hashemi organized a conference on African-Americans for New Horizon, the same group that put on the Hollywoodism conference that Witt attended.
It’s not clear from the indictment how useful Witt was to Iran’s cyber espionage. Witt allegedly guided Iranian hackers to her former colleagues. One of the targets, deployed to Kabul for a Central Command intelligence activity, accepted a Facebook request from a honeypot account set up by the IRGC. Another target unwittingly added an Iranian-controlled account to a Facebook group of fellow American government employees. But there’s no allegation that Iran learned any secrets through either ploy.
The same goes for Iran’s attempt to get malware onto an intelligence worker’s computer through the “Bella Wood” persona. “Bella” communicated over email with the target after the Facebook connection was made, and “she”–actually four men–did her best to entice the officer with unspecified “photos” and a “pretty card.” But the effort was about as sophisticated as a fake Nigerian prince with a lucrative business offer.
“I’ll send you a file including my photos but u should deactivate your anti virus to open it because i designed my photos with a photo album software, I hope you enjoy the photos i designed for the new year,” the Iranian men allegedly wrote to their American target on Jan. 9, 2015. Then came a specification that ought to go into the hall of fame of spy thirst: “They should be opened in your computer honey.”
The Iranians may have had more success with another ploy: outright impersonating an intelligence agent on Facebook. The hackers allegedly created a fake profile by copying the agent’s real one, then started making friend requests to other intelligence agents. One target of this social engineering attack, identified as “USG Agent 5,” was a former co-worker of Witt’s. The agent not only accepted a friend request from the fake account, but “vouch[ed] for the Imposter Account” later when adding it to “a private Facebook group composed primarily of USG [U.S. government] agents.” That, the indictment says, gave the four Iranian hackers “greater access to information regarding USG agents.”
Two months after that, in May 2015, the four Iranians created an email address using the real name of someone the indictment identifies as having a “leadership role” during Witt’s Air Force tenure. This outreach was more sophisticated than Bella was. It faked a real Air Force domain, “@ogn.af.mil,” to send out malware. They also attempted another spearphish, this one masquerading as a Facebook email with a password-reset prompt. It’s unclear whether anyone was taken in by these efforts, or what might have been compromised as a result.
The four Iranians–Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar and Mohamad Paryar–set up shop as a hacking organization, allegedly “on behalf of the IRGC,” barely two weeks before Bella Wood went to work.
Parvar is the accused ringleader. He set up a cutout business that seemed to operate as a typical business, as it “disbursed regular salaries, established work hours, issued assignments and employed supervisors and managers.” Behind that front, they “develop[ed] and obtain[ed]” malware, including keyloggers, software to hijack a web camera, and other tools to lurk in a “persistent manner” on the U.S. government agents’ devices and networks.
All these people involved in Parvar’s fake business are “known to the United States,” the indictment says–another indication that Witt, despite her training as a U.S. military counterintelligence specialist, may have inadvertently compromised her own operation for Iran.
Witt joined the Air Force as a Cryptologic Linguist in 1997 before moving over to the Air Force’s Office of Special Investigations in 2003, and she served as an intelligence specialist and special agent for over 10 years. In that time she was deployed to a number of unspecified “overseas locations” for secret missions intercepting electronic communications, among the most sensitive roles in intelligence work. She had a top secret clearance and access to compartmentalized projects.
As laid out in the indictment, Witt began drifting toward betrayal in February 2012 when she made a trip to Iran to participate in an anti-American propaganda event called “Hollywoodism.” Witt allegedly converted to Islam on Iranian television and made statements on video “that were critical of the U.S. government, knowing these videos would be broadcast by Iranian media outlets,” the indictment charges.
Three months later FBI agents warned Witt that Iran had targeted her for recruitment as an intelligence asset, and she assured them that if she returned to Iran, she would keep her mouth shut about her work for the Air Force, according to the indictment. But the next month Witt took a paid job helping shoot another Iranian propaganda video, and in February 2013 she met with officials in the IRGC and formally declared that she wanted to move to Iran, according to the indictment.
Though not mentioned in the indictment, the International Affairs Review journal at George Washington University published a commentary by Witt in April 2012 in which she criticized the U.S. call for Iran’s neighbors to sever ties with Tehran, writing that “in enacting a policy of severe sanctions against Iran, the U.S. should address the potential affects (sic) on other countries and not inadvertently alienate friends by making them choose between Iran and the U.S.”
A Feb 2013 article on the International Quran News Agency website quoted Witt discussing her conversion—and blasting the U.S. military. “As someone who served in the US army for years, I expected that after embracing Islam, my right to choose a religion and my beliefs would be respected. However, a US army member becoming Muslim was not something they could stand. They are afraid of such individuals.”
Iran was initially suspicious of Witt and slow-walked her defection, according to the indictment. But she kicked the process into high gear by threatening to “do like Snowden” and go public with U.S. intelligence secrets from the safety of Russia.
“I think I can slip into Russia quietly if they help me and then I can contact wikileaks from there without disclosing my location,” she allegedly wrote in a June 2013 email to an Iranian contact.
The threat evidently worked. Her contact, the Iranian propaganda filmmaker for whom she worked, arranged a meeting between Witt and the Iranian ambassador to Afghanistan, and plans were drawn up to get her safely to Iran. “They are so kind,” Witt allegedly wrote, “even taking me to the airport.”
With additional reporting by Adam Rawnsley