Game of Thrones hacker worked with US defector to hack Air Force employees for Iran

Former US Air Force intelligence agent passed crucial information to Iranian state hackers after she defected to Iran in 2013.
Written by Catalin Cimpanu, Contributor

The US Department of Justice unsealed today espionage-related charges against a former US Air Force service member who defected to Iran and helped the country's hackers target her former Air Force colleagues.

Besides charges and an arrest warrant issued in the name of the former USAF service member, the DOJ also indicted four Iranian hackers who supposedly carried out the cyber-attacks acting on information provided by Witt.

The most notable of the four Iranian hackers is Behzad Mesri, who US authorities also charged in November 2017 with hacking HBO, stealing scripts for unaired episodes of season 6 of the hit series Game Of Thrones TV show, and later attempting to extort HBO execs for $6 million.

Mesri isn't just some random cyber-criminal, and he's believed to be a member of the "Charming Kitten" Iranian cyber-espionage unit, a top hacker and a close collaborator of the Iranian Revolutionary Guard Corps (IRGC), the country's main intelligence service.

But at the heart of today's indictment stands Monica Elfriede Witt, 39, a former US Air Force counter-intelligence special agent specialized in Middle East operations, who served for the Air Force between 1997 and 2008, and later worked as a DOD contractor until 2010 --including for Booz Allen Hamilton, the same defense company where Edward Snowden worked.

Prosecutors say that Iranian intelligence recruited Witt in 2012 when she attended a conference in Iran called "Hollywoodism," organized by Iranian company New Horizon Organization and sponsored by the IRGC. The conference's main topic was condemning American moral standards, promoting anti-US propaganda, anti-Semitism, and Holocaust denial.

Prosecutors say that Witt established relations with individuals she met at the conference, one of whom later arranged her defection to Iran in August 2013, where she received housing and computer equipment from the Iranian government.

The DOJ claims Witt has been working ever since with IRGC hacking units to craft and fine-tune cyber-operations against her former Air Force colleagues, some of whom she knew personally.

Some of the attacks mentioned in the indictment include spear-phishing campaigns, malware infections, and social media-based operations.

Witt allegedly provided information on the targets that were worth hacking and even worked with the four hackers to register an impostor Facebook account in the name of a former colleague, successfully befriending other special agents.

Witt's defection and subsequent collaboration with Iranian hackers were made much worse because she also had high-level security clearance and field duty experience, and indirectly helped Iranian intelligence gain deep insight into how US operations are conducted both internally and overseas.

All the five suspects named in the indictment are still at large, believed to be located in Iran. The DOJ says Witt now goes by the names of Fatemah Zahra or Narges Witt.

The US Department of Treasury also announced economic sanctions against two Iranian companies today --New Horizon Organization, for its support of the IRGC; and Net Peygard Samavat Company, a company that developed and attempted to install malware on US government personnel' computers under the coordination of the IRGC.

Top vehicle hacking examples (in pictures)

Related security coverage:

Editorial standards