Meet ‘Charming Kitten,’ the Iranian Hackers Linked to Air Force Defector

Monica Witt fled to Iran and was indicted for espionage—alongside an Iranian hacking luminary.

Maverick, an American shorthair, keeps his claw on the mouse as he uses a computer at a press preview for the Cat Fanciers’ Association show at Madison Square Garden in New York on Oct. 10, 2007. (Don Emmert/AFP/Getty Images)
Maverick, an American shorthair, keeps his claw on the mouse as he uses a computer at a press preview for the Cat Fanciers’ Association show at Madison Square Garden in New York on Oct. 10, 2007. (Don Emmert/AFP/Getty Images)
Maverick, an American shorthair, keeps his claw on the mouse as he uses a computer at a press preview for the Cat Fanciers’ Association show at Madison Square Garden in New York on Oct. 10, 2007. (Don Emmert/AFP/Getty Images)

When U.S. prosecutors unsealed an indictment this week revealing that Air Force intelligence officer Monica Witt had defected to Iran and revealed top secret information, the news sent a shockwave through Washington. But Witt wasn’t the only person in prosecutors’ crosshairs: Also indicted were top Iranian hackers, charged with targeting U.S. intelligence officials for espionage.

When U.S. prosecutors unsealed an indictment this week revealing that Air Force intelligence officer Monica Witt had defected to Iran and revealed top secret information, the news sent a shockwave through Washington. But Witt wasn’t the only person in prosecutors’ crosshairs: Also indicted were top Iranian hackers, charged with targeting U.S. intelligence officials for espionage.

The inclusion in the indictment of one notorious hacker, Behzad Mesri, provides a window into Iranian intelligence efforts and shows how a human intelligence operation to recruit a U.S. counterintelligence official informed an online espionage campaign. According to U.S. prosecutors, Mesri and three other Iranian hackers used intelligence provided by Witt to target U.S. intelligence officials for surveillance.

With all eyes focused on Witt after the Wednesday indictment was unsealed, Mesri’s involvement has been mostly overlooked. But for veteran observers of Iranian hacking activity, his name set off alarm bells.

In November 2017, Joon Kim, then-acting U.S. attorney for the Southern District of New York, delivered a melodramatic proclamation about a newly indicted Iranian hacker: “Winter has come for Behzad Mesri.” Mesri had allegedly broken into HBO’s computer systems, stealing unreleased episodes and scripts from the hit show Game of Thrones and demanding $6 million in exchange for not releasing the pilfered material. He remained free—and, apparently, a free agent.

Mesri is one of a number of Iranian hackers who maintain an ambiguous relationship with the country’s intelligence services. When he was indicted for breaking into HBO, U.S. prosecutors made no claim that he was operating on behalf of the government. Rather, he appeared to be freelancing in an ambitious attempt to cash in on his hacking skills.

That shadowy relationship between Iranian security services and the country’s hacking community provides groups such as the Islamic Revolutionary Guard Corps access to hackers and gives black hats lucrative sidelines.

“These guys are probably contractors—or not necessarily uniformed officers—who probably have other side projects going on,” said John Hultquist, the director of intelligence analysis at the cybersecurity firm FireEye. “It really makes it difficult to tell” what their relationship is with the government, he said.  

This week’s indictment sheds some additional light on Mesri and his co-conspirators’ work, alleging that they played a key role in converting intelligence from a key defector into a broader operation.

Indeed, Witt’s defection to Iran appears to have provided operatives there with intelligence to better target U.S. officials with fake Facebook profiles and enticing emails laced with malware that would record their keystrokes and spy on them. U.S. prosecutors allege that Witt provided Iran with “target packages” containing information about her former colleagues, potentially allowing Iranian hackers to spearphish with confidence.

Or not. At times, the hacking operation was fairly bumbling. In January 2015, Mesri and his colleagues created an online persona dubbed “Bella Wood” that they used in an attempt to put American spies under surveillance. In an email to a former colleague of Witt’s, a U.S. intelligence official stationed in Kabul, “Bella Wood” wrote that she would send “a file including my photos but u should deactivate your anti virus to open it”—a directive that would jolt any trained intelligence officer.  

Mesri has been a recurring figure in years of research about Iranian hacks—especially when it comes to a group researchers call “Charming Kitten.” Set up around 2014, shortly after Witt’s defection, Charming Kitten has targeted academics, journalists, and human rights activists studying Iran, according to a 2017 report from the Israeli cybersecurity firm ClearSky Cyber Security.

One operation attributed to Charming Kitten involved Iran-linked hackers posing as journalists to interact with senior U.S. officials on social media, with some success, according to a 2014 report from iSight Partners, a cybersecurity firm. ClearSky, in its 2017 report, concluded with medium certainty that Mesri and two others were linked to Charming Kitten and that they may even make up the core of the group.

Elias Groll was an assistant editor and staff writer at Foreign Policy from 2013-2019.
Twitter: @eliasgroll

More from Foreign Policy

The USS Nimitz and Japan Maritime Self-Defense Force and South Korean Navy warships sail in formation during a joint naval exercise off the South Korean coast.
The USS Nimitz and Japan Maritime Self-Defense Force and South Korean Navy warships sail in formation during a joint naval exercise off the South Korean coast.

America Is a Heartbeat Away From a War It Could Lose

Global war is neither a theoretical contingency nor the fever dream of hawks and militarists.

A protester waves a Palestinian flag in front of the U.S. Capitol in Washington, during a demonstration calling for a ceasefire in Gaza. People sit and walk on the grass lawn in front of the protester and barricades.
A protester waves a Palestinian flag in front of the U.S. Capitol in Washington, during a demonstration calling for a ceasefire in Gaza. People sit and walk on the grass lawn in front of the protester and barricades.

The West’s Incoherent Critique of Israel’s Gaza Strategy

The reality of fighting Hamas in Gaza makes this war terrible one way or another.

Biden dressed in a dark blue suit walks with his head down past a row of alternating U.S. and Israeli flags.
Biden dressed in a dark blue suit walks with his head down past a row of alternating U.S. and Israeli flags.

Biden Owns the Israel-Palestine Conflict Now

In tying Washington to Israel’s war in Gaza, the U.S. president now shares responsibility for the broader conflict’s fate.

U.S. President Joe Biden is seen in profile as he greets Chinese President Xi Jinping with a handshake. Xi, a 70-year-old man in a dark blue suit, smiles as he takes the hand of Biden, an 80-year-old man who also wears a dark blue suit.
U.S. President Joe Biden is seen in profile as he greets Chinese President Xi Jinping with a handshake. Xi, a 70-year-old man in a dark blue suit, smiles as he takes the hand of Biden, an 80-year-old man who also wears a dark blue suit.

Taiwan’s Room to Maneuver Shrinks as Biden and Xi Meet

As the latest crisis in the straits wraps up, Taipei is on the back foot.