Meet ‘Charming Kitten,’ the Iranian Hackers Linked to Air Force Defector

Monica Witt fled to Iran and was indicted for espionage—alongside an Iranian hacking luminary.

Maverick, an American shorthair, keeps his claw on the mouse as he uses a computer at a press preview for the Cat Fanciers’ Association show at Madison Square Garden in New York on Oct. 10, 2007. (Don Emmert/AFP/Getty Images)
Maverick, an American shorthair, keeps his claw on the mouse as he uses a computer at a press preview for the Cat Fanciers’ Association show at Madison Square Garden in New York on Oct. 10, 2007. (Don Emmert/AFP/Getty Images)
Maverick, an American shorthair, keeps his claw on the mouse as he uses a computer at a press preview for the Cat Fanciers’ Association show at Madison Square Garden in New York on Oct. 10, 2007. (Don Emmert/AFP/Getty Images)

When U.S. prosecutors unsealed an indictment this week revealing that Air Force intelligence officer Monica Witt had defected to Iran and revealed top secret information, the news sent a shockwave through Washington. But Witt wasn’t the only person in prosecutors’ crosshairs: Also indicted were top Iranian hackers, charged with targeting U.S. intelligence officials for espionage.

The inclusion in the indictment of one notorious hacker, Behzad Mesri, provides a window into Iranian intelligence efforts and shows how a human intelligence operation to recruit a U.S. counterintelligence official informed an online espionage campaign. According to U.S. prosecutors, Mesri and three other Iranian hackers used intelligence provided by Witt to target U.S. intelligence officials for surveillance.

With all eyes focused on Witt after the Wednesday indictment was unsealed, Mesri’s involvement has been mostly overlooked. But for veteran observers of Iranian hacking activity, his name set off alarm bells.

When U.S. prosecutors unsealed an indictment this week revealing that Air Force intelligence officer Monica Witt had defected to Iran and revealed top secret information, the news sent a shockwave through Washington. But Witt wasn’t the only person in prosecutors’ crosshairs: Also indicted were top Iranian hackers, charged with targeting U.S. intelligence officials for espionage.

The inclusion in the indictment of one notorious hacker, Behzad Mesri, provides a window into Iranian intelligence efforts and shows how a human intelligence operation to recruit a U.S. counterintelligence official informed an online espionage campaign. According to U.S. prosecutors, Mesri and three other Iranian hackers used intelligence provided by Witt to target U.S. intelligence officials for surveillance.

With all eyes focused on Witt after the Wednesday indictment was unsealed, Mesri’s involvement has been mostly overlooked. But for veteran observers of Iranian hacking activity, his name set off alarm bells.

In November 2017, Joon Kim, then-acting U.S. attorney for the Southern District of New York, delivered a melodramatic proclamation about a newly indicted Iranian hacker: “Winter has come for Behzad Mesri.” Mesri had allegedly broken into HBO’s computer systems, stealing unreleased episodes and scripts from the hit show Game of Thrones and demanding $6 million in exchange for not releasing the pilfered material. He remained free—and, apparently, a free agent.

Mesri is one of a number of Iranian hackers who maintain an ambiguous relationship with the country’s intelligence services. When he was indicted for breaking into HBO, U.S. prosecutors made no claim that he was operating on behalf of the government. Rather, he appeared to be freelancing in an ambitious attempt to cash in on his hacking skills.

That shadowy relationship between Iranian security services and the country’s hacking community provides groups such as the Islamic Revolutionary Guard Corps access to hackers and gives black hats lucrative sidelines.

“These guys are probably contractors—or not necessarily uniformed officers—who probably have other side projects going on,” said John Hultquist, the director of intelligence analysis at the cybersecurity firm FireEye. “It really makes it difficult to tell” what their relationship is with the government, he said.  

This week’s indictment sheds some additional light on Mesri and his co-conspirators’ work, alleging that they played a key role in converting intelligence from a key defector into a broader operation.

Indeed, Witt’s defection to Iran appears to have provided operatives there with intelligence to better target U.S. officials with fake Facebook profiles and enticing emails laced with malware that would record their keystrokes and spy on them. U.S. prosecutors allege that Witt provided Iran with “target packages” containing information about her former colleagues, potentially allowing Iranian hackers to spearphish with confidence.

Or not. At times, the hacking operation was fairly bumbling. In January 2015, Mesri and his colleagues created an online persona dubbed “Bella Wood” that they used in an attempt to put American spies under surveillance. In an email to a former colleague of Witt’s, a U.S. intelligence official stationed in Kabul, “Bella Wood” wrote that she would send “a file including my photos but u should deactivate your anti virus to open it”—a directive that would jolt any trained intelligence officer.  

Mesri has been a recurring figure in years of research about Iranian hacks—especially when it comes to a group researchers call “Charming Kitten.” Set up around 2014, shortly after Witt’s defection, Charming Kitten has targeted academics, journalists, and human rights activists studying Iran, according to a 2017 report from the Israeli cybersecurity firm ClearSky Cyber Security.

One operation attributed to Charming Kitten involved Iran-linked hackers posing as journalists to interact with senior U.S. officials on social media, with some success, according to a 2014 report from iSight Partners, a cybersecurity firm. ClearSky, in its 2017 report, concluded with medium certainty that Mesri and two others were linked to Charming Kitten and that they may even make up the core of the group.

 Twitter: @EliasGroll

More from Foreign Policy

A worker cuts the nose off the last Ukraine's Tupolev-22M3, the Soviet-made strategic aircraft able to carry nuclear weapons at a military base in Poltava, Ukraine on Jan. 27, 2006. A total of 60 aircraft were destroyed  according to the USA-Ukrainian disarmament agreement.
A worker cuts the nose off the last Ukraine's Tupolev-22M3, the Soviet-made strategic aircraft able to carry nuclear weapons at a military base in Poltava, Ukraine on Jan. 27, 2006. A total of 60 aircraft were destroyed according to the USA-Ukrainian disarmament agreement.

Why Do People Hate Realism So Much?

The school of thought doesn’t explain everything—but its proponents foresaw the potential for conflict over Ukraine long before it erupted.

Employees watch a cargo ship at a port in China, which is experiencing an economic downturn.
Employees watch a cargo ship at a port in China, which is experiencing an economic downturn.

China’s Crisis of Confidence

What if, instead of being a competitor, China can no longer afford to compete at all?

Federal Reserve Chair Jerome Powell testifies in the U.S. Senate in Washington on Sept. 24, 2020.
Federal Reserve Chair Jerome Powell testifies in the U.S. Senate in Washington on Sept. 24, 2020.

Why This Global Economic Crisis Is Different

This is the first time since World War II that there may be no cooperative way out.

Chinese President Xi Jinping (left) and Premier Li Keqiang applaud at the closing session of the National People's Congress at the Great Hall of the People in Beijing on March 11.
Chinese President Xi Jinping (left) and Premier Li Keqiang applaud at the closing session of the National People's Congress at the Great Hall of the People in Beijing on March 11.

China Is Hardening Itself for Economic War

Beijing is trying to close economic vulnerabilities out of fear of U.S. containment.