Meet ‘Charming Kitten,’ the Iranian Hackers Linked to Air Force Defector

When U.S. prosecutors unsealed an indictment this week revealing that Air Force intelligence officer Monica Witt had defected to Iran and revealed top secret information, the news sent a shockwave through Washington. But Witt wasn’t the only person in prosecutors’ crosshairs: Also indicted were top Iranian hackers, charged with targeting U.S. intelligence officials for espionage.

The inclusion in the indictment of one notorious hacker, Behzad Mesri, provides a window into Iranian intelligence efforts and shows how a human intelligence operation to recruit a U.S. counterintelligence official informed an online espionage campaign. According to U.S. prosecutors, Mesri and three other Iranian hackers used intelligence provided by Witt to target U.S. intelligence officials for surveillance.

With all eyes focused on Witt after the Wednesday indictment was unsealed, Mesri’s involvement has been mostly overlooked. But for veteran observers of Iranian hacking activity, his name set off alarm bells.

In November 2017, Joon Kim, then-acting U.S. attorney for the Southern District of New York, delivered a melodramatic proclamation about a newly indicted Iranian hacker: “Winter has come for Behzad Mesri.” Mesri had allegedly broken into HBO’s computer systems, stealing unreleased episodes and scripts from the hit show Game of Thrones and demanding $6 million in exchange for not releasing the pilfered material. He remained free—and, apparently, a free agent.

Mesri is one of a number of Iranian hackers who maintain an ambiguous relationship with the country’s intelligence services. When he was indicted for breaking into HBO, U.S. prosecutors made no claim that he was operating on behalf of the government. Rather, he appeared to be freelancing in an ambitious attempt to cash in on his hacking skills.

That shadowy relationship between Iranian security services and the country’s hacking community provides groups such as the Islamic Revolutionary Guard Corps access to hackers and gives black hats lucrative sidelines.

“These guys are probably contractors—or not necessarily uniformed officers—who probably have other side projects going on,” said John Hultquist, the director of intelligence analysis at the cybersecurity firm FireEye. “It really makes it difficult to tell” what their relationship is with the government, he said.

This week’s indictment sheds some additional light on Mesri and his co-conspirators’ work, alleging that they played a key role in converting intelligence from a key defector into a broader operation.

Indeed, Witt’s defection to Iran appears to have provided operatives there with intelligence to better target U.S. officials with fake Facebook profiles and enticing emails laced with malware that would record their keystrokes and spy on them. U.S. prosecutors allege that Witt provided Iran with “target packages” containing information about her former colleagues, potentially allowing Iranian hackers to spearphish with confidence.

Or not. At times, the hacking operation was fairly bumbling. In January 2015, Mesri and his colleagues created an online persona dubbed “Bella Wood” that they used in an attempt to put American spies under surveillance. In an email to a former colleague of Witt’s, a U.S. intelligence official stationed in Kabul, “Bella Wood” wrote that she would send “a file including my photos but u should deactivate your anti virus to open it”—a directive that would jolt any trained intelligence officer.

Mesri has been a recurring figure in years of research about Iranian hacks—especially when it comes to a group researchers call “Charming Kitten.” Set up around 2014, shortly after Witt’s defection, Charming Kitten has targeted academics, journalists, and human rights activists studying Iran, according to a 2017 report from the Israeli cybersecurity firm ClearSky Cyber Security.

One operation attributed to Charming Kitten involved Iran-linked hackers posing as journalists to interact with senior U.S. officials on social media, with some success, according to a 2014 report from iSight Partners, a cybersecurity firm. ClearSky, in its 2017 report, concluded with medium certainty that Mesri and two others were linked to Charming Kitten and that they may even make up the core of the group.