Could the U.S. have faced another Snowden case? It sure sounds that way.
A Grand Jury indicted former U.S. Air Force Intelligence Specialist and Special Agent, Monica Witt, for conspiring with Iran to commit Computer Intrusion and other
The indictment paints a picture of her work as she helped the Iranians target her former U.S. Intelligence colleagues using social media accounts, spearphishing, and malware.
And she is accused of sharing Top Secret information, classified by the government as information that could cause "grave damage" to national security if divulged.
U.S. Intelligence agent lobbying to help Iran
As she was making the connection with co-conspirators in Iran's intelligence operations, a series of email exchanges with Iranian contacts indicated that Witt, formerly USAF Intelligence, had information to share and she was going to share it, one way or another.
[Witt writing to Iran contact]: "If all else fails, I just may go public with a program and do like Snowden :)"
[Witt writing on another occasion to Iran contact]: "I think I can slip into Russia quietly if they help me and then I can contact wikileaks from there without disclosing my location."
As it turned out, the indictment says Iranians accepted her help and she moved there, along with information on true names of intelligence sources and clandestine agents, plus information on secret and top secret programs.
Assistant Attorney General for National Security, John C. Demers, painted the big picture of what happened and how Witt worked with the Islamic Revolutionary Guard Corps (IRGC):
"The other four defendants in this indictment, Iranian hackers working on behalf of the IRGC, targeted, through social media and other cyber-enabled means, at least eight U.S. government agents, all of whom at one time worked or interacted with Monica Witt."Cyber methods: how Iran targeted U.S Intelligence
The indictment is long, but our readers on cybersecurity will be interested in these specific steps Witt and her Iranian co-conspirators used to track and hack their targets.
- "It was part of the conspiracy that the Cyber Conspirators did obtain computer and online infrastructure, including virtual private servers, email accounts and social media accounts, and used this infrastructure to communicate with each other, to contact targets, and to transmit spearphishing emails and malware."
- "... the Cyber Conspirators did develop and obtain malware deigned to capture a target's keystrokes, access a computer's web camera, and monitor other computer activity."
- ... the Cyber Conspirators did use fictitious and impostor personas to deceive their targets."
- "... after engaging online with a target, the Cyber Conspirators would and did send links and attachments that, when accessed by current and former U.S. counterintelligence agents, were designed to deploy malware and establish covert, persistent access to the recipient's computer network."
At least some of this work was carried out by an Iranian government-backed group of hackers that operated like a regular business, with set working hours, salaries for employees, a typical management structure, and computer intrusion assignments.
Shocking results from social media attacks
Part of the hacking efforts against U.S. agents came in the form of social media attacks. They scraped information and photos from the web (known as OSINT) and created a real-looking Facebook page that was actually an impostor account.
That account then sent friend requests to other U.S. agents. All you had to do was accept the "friend request" and malware activated on your device that created "covert, persistent access."
One of the U.S. agents who got duped even added the impostor account to a private Facebook group of other agents.
This allowed the co-conspirators to access more information on more agents. You can see how this would snowball.
There is much more in the grand jury indictment; read the U.S. Intelligence Agent Indictment for yourself, if you'd like.
And know this much: If you have something at your organization or agency that nation-state hackers want, they may enact an entire covert operation to get it.
That is certainly what is revealed in this case.
[Web conference resource: State of the Phish 2019, available on-demand]