A former Air Force counterintelligence official has defected to Iran and supplied Tehran's Islamic Revolutionary Guards Corps with secrets, including information on how spy agencies communicate secretly with recruited agents.
Monica Elfriede Witt, 39, the former counterspy and an intelligence contractor, is believed to be living in Iran and was indicted Feb. 8 on espionage and conspiracy charges, federal law enforcement officials announced on Wednesday.
"Monica Witt is charged with revealing to the Iranian regime a highly classified intelligence program and the identity of a U.S. intelligence officer, all in violation of the law, her solemn oath to protect and defend our country, and the bounds of human decency," said Assistant Attorney General John Demers.
"It is a sad day for America when one of its citizens betrays our country," he added.
Along with Witt, four Iranian hackers were indicted on charges of computer intrusions in a bid to recruit other current and former counterspies, and for delivering defense information to Iran.
The unsealed indictment stated that Witt was recruited by the IRGC Quds Force, the Islamic paramilitary organization engaged in covert action, intelligence gathering, and support for international terrorism.
"She decided to turn against the United States and shift her loyalty to Iran," said Jay Tabb, FBI executive assistant director for national security. "Her primary motivation appears to be ideological."
Witt, also known as Fatemah Zahra and Narges Witt, was an Air Force enlisted intelligence specialist from 1997 to 2008 who worked for the Office of Special Investigations (OSI), the service's intelligence wing. She was trained as a Farsi language specialist and was involved in signals intelligence collection and human spying operations in the Middle East.
While at OSI from 2003 to 2008, Witt had access to an extremely sensitive intelligence known as a Special Access Program, or SAP, that according to the indictment included details of counterintelligence operations, true names of recruited agents, and the identities of U.S. intelligence operatives engaged in recruiting the agents.
The secret intelligence program "allowed agents to communicate in the open without disclosing the nature of their operations," the indictment states.
Knowing the details of the communications program would allow Iranian intelligence to track and identify the recruited agents.
Witt was the OSI desk officer for the secret program from 2008 to August 2010, when she left the intelligence contracting firm.
The Iranians were able to recruit Witt through a dual U.S.-Iranian national who was not identified by name in court papers but was described as a "spotter and assessor" for Iran's intelligence services.
The compromise of the communications program related to Iranian agents may also have led to the 2010 compromise of more than a dozen recruited CIA officers in China.
U.S. intelligence agencies are unsure how the as many as 30 Chinese agents were betrayed, imprisoned, or killed. But officials believe the security breach was the result of a traitorous CIA officer, or the compromise of the agent communications system.
Recent news reports of the Chinese agent loss have said the case of the Chinese intelligence failure was believed to be related to the penetration of Middle East agent communications system used by the CIA. The CIA is the mission manager for all U.S. human intelligence operations.
The defection of a counterintelligence officer to Iran is the latest in a string of intelligence failures caused by hostile spy agencies.
During the Cold War, most of the CIA's recruited agents in the Soviet Union and later Russia were uncovered and neutralized as a result of turncoat CIA officer Aldrich Ames and FBI Special Agent traitor Robert Hanssen. Both were counterintelligence officials who spied for Moscow, Ames from 1985 to 1993, and Hanssen from 1979 to 2001.
The CIA also lost a large number of its recruited agents in Eastern Europe during the Cold War as well as in Cuba.
Officials would not say whether any recruited Iranian agents were identified or killed as a result of the compromises alleged to have been made by Witt.
However, asked to describe the damage from the case, the FBI's Tabb said it caused "serious damage to national security." He did not elaborate.
Witt provided documents and information to Iranian IRGC officers and intermediaries from January 2012 to May 2015 in and outside the country.
At one point, Witt traveled to Iran as part of an IRGC-sponsored visit and told IRGC officials she was a former military veteran who wanted to defect.
As part of her spying, Witt produced "target packages" for the Iranians that involved research for use against former special agents, U.S. counterintelligence analysts, and other intelligence officials known by her, the indictment said.
Witt traveled to Iran in February 2012 for an anti-Hollywood conference hosted by the IRGC that condemned American moral standards and promoted anti-U.S. propaganda. That same month, she appeared in an Iranian video criticizing the United States. In one broadcast, Witt converted to Islam.
FBI agents questioned Witt on May 25, 2012, and warned her she was targeted for recruitment by Iranian intelligence. She told the agents that if she ever returned to Iran she would refuse to provide information about her OSI work.
In June 2012, the Iranian spotter hired Witt as an assistant in producing an anti-American propaganda film.
In February 2013, Witt again traveled to Iran for a second anti-Hollywood conference, and met with IRGC members and said she desired to emigrate to Iran.
Witt was apparently the target of electronic surveillance during the multi-year investigation into her activities.
In October 2012, Witt wrote, apparently in a text message, to the spotter, who had asked if he should thank the secretary of defense for her training. "LOL thank the sec of defense? For me?" she responded. "Well, I loved the work, and I am endeavoring to put the training I received to good use instead of evil 😀. Thanks for giving me the opportunity."
Witt later wrote that "If all else fails, I just may go public with a program and do like Snowden :)," the indictment said.
A week after that communication, Witt stated that she had gone to the Iranian embassy in Kabul and "told all."
After Iranian officials became suspicious of Witt, she told her spotter that she may have "better luck with Russia" and stated she could "slip into Russia quietly if they help me and then I can contact wikileaks from there without disclosing my location."
Witt in July 2013 was directed to contact the Iranian ambassador in Dushanbe, Tajikistan.
Her apparent defection to Iran took place Aug. 28, 2013, after she sent a text as she prepared to board a commercial flight from Dubai to Tehran, stating, "I'm signing off and heading out! Coming home J."
Once in Iran, government officials provided Witt with housing and computer equipment to facilitate her work with the Tehran regime. Around that time, she compromised the code name and mission of the Pentagon Special Access Program that involved U.S. intelligence operations against specific targets.
The cyber attacks by Iran involved the four hackers using spear phishing emails that led to planting malicious software that remotely captured keystrokes. The operations were targeted against current and former counterintelligence agents.
One of the agents targeted by the Iranians was fooled into using a Facebook account set up by the Iranians as part of the hacking operation and the agent also was fooled into granting the Iranian hackers access to his computer.
The four Iranian nationals charged in the indictment were identified as Mojtaba Masoumpour, Behzad Mesri, Hossein Parvar, and Mohamad Paryar.
Separately, the Treasury Department announced Wednesday that the department is imposing sanctions on the New Horizon Organization, the organization that sponsored the conference that Witt attended in Iran. The sanctions were for the organization's links to the IRGC Quds Force.
"New Horizon hosts international conferences that have provided Iranian intelligence officers a platform to recruit and collect damaging information from attendees, while propagating anti-Semitism and Holocaust denial," Treasury Secretary Steven Mnuchin said in a statement.
"We are also sanctioning an Iran-based company that has attempted to install malware to compromise the computers of U.S. personnel."