IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA Holding a Criminal Term Grand Jury Sworn in on July 9 2018 Case No 1 19-cr-43 UNITED STATES OF AMERICA Assigned To Chief Judge Beryl A Howell Date 02 08 2019 Description INDICTMENT B 18 U S C § 794 c Conspiracy to Deliver National Defense Information to Representatives of a Foreign Government Count One v MONICA ELFRIEDE WITT also known as Fatemah Zahra also known as ''Narges WITT MOJT ABA MASOUMPOUR BEHZAD MESRI 18 U S C § 794 a Delivering National Defense Information to Representatives of a Foreign Government Counts Two Three 18 U S C §§ 371 1030 Conspiracy to Commit Computer Intrusion Count Four 18 U S C § 1030 Computer Intrusion Counts Five Six HOSSEIN PARVAR and 18 U S C § 1028A Aggravated Identity Theft Count Seven MOHAMADPARYAR Defendants 18 U S C § 2 Aiding and Abetting I N D I C T ME N T The grand jury charges that GENERAL ALLEGATIONS L At all times relevant to this Indictment the Islamic Republic of Iran Iran was a hostile foreign power with which the United States had no formal diplomatic relations The U S Secretary of State had designated the Government of Iran a state sponsor of terrorism each year since 1984 based upon Iran's repeated and direct support for acts of international terrorism including acts targeting US and allied forces 2 On March 15 1995 the President issued Executive Order No 1295 finding that the actions and policies of the Government of Iran constitute an unusual and extraordinary threat to the national security foreign policy and economy of the United States and declaring a national emergency to deal with that threat Executive Order No 1295 as expanded and continued by Executive Orders Nos- 12959 and 13059 was in effect at all times relevant to this Indictment 3 On September 23 2001 the President issued Executive Order No 13224 nding that grave acts of terrorism and threats of terrorism committed by foreign terrorists constitute an unusual and extraordinary threat to the national security foreign policy and economy of the United States and declaring a national emergency to deal with that threat 4 On October 25 2007 the US Department of the Treasury Of ce of Foreign Assets Control OFAC designated the Islamic Revolutionary Guard Corps lRGC Qods Force under the Global Terrorism Sanctions Regulations GTS R The IRGC is a branch of Iran's armed forces founded after the 1979 Revolution in April 1979 by order of the Ayatollah thmeini 5 The IRGC-QF was responsible for among other things conducting unconventional warfare and intelligence activities outside Iran including assassinations and cyber-related attacks The was designated by OFAC because it had provided material support to the Taliban Lebanese Hizballah Hamas Palestinian Islamic Jihad and the Popular Front for the Liberation of Palestine General Command In its public designation OFAC speci cally found that the ERGO- QF was the iranian regime s primary instrument for providing lethal support to the Taliban and selecting Iraqi Shi'a militants to target and kill members of the US- military as well as innocent civilians in Iraq and Afghanistan 6 On October 13 2017 OFAC designated the IRGC for its activities in support of the The IRGC which is the parent organization of undertakes to assist in sponsor and provide nancial material and technological support for the The IRGC also provides support to a number of terrorist groUps including Hizballah and Hamas as well as the Taliban The US Air Force Of ce of Special Investigation AFOSI conducted counterintelligence investigations and operations both domestically and overseas in coordination with the larger U S intelligence community USIC AFOSI de ned counter-intelligence as information gathered and activities conducted to identify deceive exploit disrupt or protect against espionage other intelligence activities sabotage or assassinations conducted for or on behalf of foreign powers organizations or persons or their agents or international terrorist organizations or activities 8 Executive Order 13526 and its predecessor orders establish that information in any form that 1 is owned by produced by or for or under the control of the United States government and 2 falls within any of the categories set forth in the order to include-intelligence sources or methods eryptology military plans vulnerabilities or capabilities of systems installations projects or plans relating to the national security and foreign relations or foreign activities of the United States including confidential sources may be classi ed by an original classi cation authority whenever the unauthorized disclosure of the information could be expected to result in damage to the national security of the United States Where such damage would be serious the information may be classi ed as SECRET Where such damage would be exceptionally grave the information may be classi ed as TOP SECRET 9 Access to classi ed information at any level may be further restricted through compartmentation in SENSITIVE COMPARTMENTED INFORMATION SCI categories or through the implementation of a Special Access Program SAP De nitions 10 A defector is a person who has abandoned his or her country or cause in favor of an opposing one 1 l A spotter and assessor works on behalf of a country s intelligence service identifying persons who may have access to the intelligence and counterintelligence services of an opposing country and determining the potential value of such persons as sources- 12 Bone des as used in the context of intelligence activity are evidence of a potential spy s good faith or genuineness The term may also refer to that individual s quali cations or achievements 13 As de ned by AFOSI the term target package is a document or set of documents assembled to enable an intelligence or military unit to find fix track and neutralize a threat A human target package includes information collected about an individual such as the of cial position of the individual an analysis of personal vulnerabilities or other opportunities to exploit the individual and con rmation of the identity and location of the individual Finally a target package recommends a neutralization plan which may include apprehension recruitment cyber exploitation or capture kill operations 14 Human intelligence HUMINT is de ned as intelligence information gathered from human sources Intelligence assets and of cers have lost their lives collecting HUMINT 15 Malware is malicious computer software intended to cause the victim computer to behave in a manner inconsistent with the intention of the owner or user of the victim computer usually unbelcnownst to that person including capturing a target s keystrokes accessing a computer s web camera and monitoring other computer activity 16 Spearphishing messages are typically designed to resemble emails from trustworthy senders and to encourage the recipient to open attached les or click on hyperlinks in the messages Some speaiphishing emails attach or link to files that once opened or downloaded install malware malicious code or programs that provide unauthorized access to the recipient s computer Other spearphishing emails lure the recipient into providing valid login credentials to his or her account s thereby allowing the senders to bypass normal authentication procedures The Defendants and Other-Kev Individuals Monica Witt 1 7 At all times relevant to this Indictment Defendant MONICA ELFRIEDE WITT also known as Fatemah Zahra also known as Narges Witt hereinafter referred to as WITT a United States citizen was a former active duty US Air Force Intelligence Specialist and Special Agent of the AFOSI who entered on duty in or around August 1997 and served continuously until in or around March 2008 18 On entering active duty and again upon assuming the role of Special Agent WITT swore the following oath will support and defend the constitution of the United States against all enemies foreign and domestic that I will hear true faith and allegiance to the same that take this oath freely without any mental reservation or purpose of evasion and that 1 will well and faithfully discharge the duties of the of ce on which I am about to enter So help me God 19 WTT was granted access to SECRET and TOP SECRET national defense information relating to the foreign intelligence and counterintelligence of the United States including HUMINT containing the true names of intelligence sources and clandestine agents of the USIC 20 From in or around February 1998 to in or around April 1999 WITT was assigned to the US Defense Language Institute in Monterey California where she undertook training in Persian Farsi 21 From in or around May 1999 to in or around November 2003 WITT deployed to several overseas locations in order to conduct classi ed missions collecting signals intelligence or SIGIN T involving adversaries of the United States 22 From in or around November 2003 to in or around March 2008 WITT was assigned as an AFOSI Special Agent criminal investigator and counterintelligence of cer 23 As an AFOSI ceunterintelligence of cer WITT was deployed to locations in the Middle East to conduct classi ed operations 24 As an AFOSI Special Agent WITT was granted access to a SAP that housed classi ed information including details of ongoing counterintelligence operations true names of sources and the identities of U S agents involved in the recruitment of those sources 25 This SAP was known within the USIC by a code name The code name allowed agents to communicate in the open without disclosing the true nature of their operations At all times relevant to this Indictment the SAP was known by two successive code names which are referred to in this Indictment as and 26 From in or around March 2008 until in or around August 2010 was employed as a US government contractor during which she acted as the AFOSI Desk Officer for PROJECT NPROJECT B WITT held a TOP 31 security clearance continuously from the time she joined the U S Air Force in 1997 until she terminated her employment as a contractor with the USIC in or around August 2010 WITT passed all appropriate security evaluations including background investigations at regular intervals and other protocols designed to detect whether she posed a risk to the national security As a result WITT was gained access to a variety of programs classi ed at the SECRET and TOP SECRET levels Specifically a On or about November 29 1999 WITT signed a Classified Information Nondisclosure Agreement in which she aeloiowledged that intending to be legally bound I hereby accept the obligations contained in this Agreement in consideration of my being granted access to classi ed information I understand and accept that by being granted access to classi ed information special con dence and trust shall be placed in me by the United States Government I have been advised that the unauthorized disclosure unauthorized retention or negligent handling of classi ed information by me could cause damage or irreparable injury to the United States or could be used to advantage by a foreign nation I have been advised than any unauthorized disclosure of classi ed information by me may constitute a violation or violations of United States criminal laws including the provisions of Section 794 Title 18 United States Code and provisions of the Intelligence Identities Protection Act of 1982 b On at least twelve other occasions during her work on behalf of the United States WITT signed various iterations of classified information nondisclosure agreements In these agreements she acknowledged that she had received security briefings and understood that disclosure of the classi ed information she acquired could place human life in jeopardy She also pledged that she would never divulge such information in any form or any manner to anyone who is not authorized to receive it without prior written authorization from an appropriate official of the United States Government c In or around October 2004 WITT signed and attested to a Sensitive Compartmented Information Nondisclosure Agreement for a compartment designated HCS stands for control system and denotes among other things classi ed information that included the identities and locations of human beings who are clandestinely assisting the United States and its allies against a hostile foreign threat d In or around November 2008 WITT again pledged secrecy to the United States by signing a Special Access Program Indoctrination Agreement which allowed WITT to be granted access to the TOP SECRET or highest level of the PROJECT SAP Information protected under the SAP may be classi ed at the SECRET or TOP SECRET level depending on the severity of damage to the United States that could be expected to accrue if the information is divulged Individual A 28 At all times relevant to this Indictment Individual A a dual United States-Iranian citizen whose identity is known to the grand jury resided primarily in Iran As described below Individual A engaged in acts consistent with serving as a spotter and assessor on behalf of the Iranian intelligence services Iranian Cyber Conspiramrs 29 At all times relevant to this Indictment Defendants MOJTABA MASOWPOUR BEHZAD MESRI HOSSEIN PARVAR and MOHAMAD PARYAR and other individuals whose identities are known and unknown to the grand jury hereinafter referred to collectively as the Cyber Conspirators were nationals of Iran lived and worked in Iran and were leaders employees and contactors of or otherwise associated with a corporate entity in Tehran Iran hereinafter referred to as the Iranian entity the identitv of which is known to the United States and which conducted malicious computer intrusions on behalf of the IRGC US Government Agent's I through 8 30 U S government employees hereinafter referred to as Agents 1 through 8 are current or former Special Agents counterintelligence and other USIC employees who were rec-workers or colleagues of WITT as described herein 31 USG Agents 1 and 2 worked with WITT in WITT's position relating to PROJECT NPROJECT B 32 USS Agents 3 and 5 worked with WITT during tenure with the U S government in the United States 33 USG Agents 4 and 6 worked with WITT during deployment in the Middle East 34 USG Agent 7 served in a leadership role during tenure with the US government 35 USS Agent 8 attended training with WITT and interacted with WITT Jurisdiction and Venue 36 Acts referred to in each count of the Indictment were begun and committed in Iran and elsewhere outside the jurisdiction of any particular State or district but within the extraterritorial jurisdiction of the United States Pursuant to Title 18 United States Code Section 3239 Counts One throagh Three are within the venue of the United States District Court for the District of Columbia and pursuant to Title 18 United States Code Section 3238 Counts Four through Seven are within the venue of the United States District Court for the District of Columbia 10 cinemas Conspiracy to Deliver National Defense Information to Representatives of a Foreign Government 37 The grand jury realleges and incorporates by reference the General Allegations set forth in this Indictment 38 From in or around January 2012 to in or around May 2015 in iran and elsewhere outside the jurisdiction of any particular State or district defendant MONICA ELFRIEDE WITT did knowingly and unlawfully combine confederate and agree with other persons both known and unknown to the grand jury including of cers of the IRGC to knowingly and unlawfully communicate deliver and transmit to a foreign government speci cally Iran and to that foreign government s representatives of cers and agents directly and indirectly documents and information relating to the national defense of the United States with the intent and reason to believe that the same would be used to the injury of the United States and to the advantage of Iran in violation of Title 18 United States Code Section 794 a Ways Manner and Means of the Espionage Conspiracy 39 It was a part of the conspiracy that WITT did through her position as a Special Agent with the AFOSI gain access to classi ed information relating to the national defense 40 It was further part of the conspiracy that WITT did travel to lran where she publicly identi ed herself as a U-S military veteran 41 It was irther part of the conspiracy that WITT did travel to Iran where she met with representatives of the IRGC and identi ed herself as a veteran of the US military who desired to defect to Iran 11 42 It was further part of the conspiracy that MTT did make efforts to provide her bona fides to representatives of the IRGC in order to establish her ability and willingness to disclose U S national defense information to the Government of Iran 43 lt was further part of the conspiracy that WITT did conduct research for the purpose of creating target packages against U S comiterintelligence agents and did create such packages in order to enable the Government of Iran to target U S counterintelligence a gents 44 It was further part of the conspiracy that WITT did disclose information relating to the national defense of the United States to Iranian government of cials 45 In furtherance of the conspiracy and to effect the object thereof WITT and other unindicted co-conspirators whose identities are known and unknown to the grand jury did commit the following overt acts a In or around February 2012 WITT traveled to Iran for the purpose of attending the New Horizon Organization s Hollywoodism conference an Sponsored event aimed at condemning American moral standards and promoting anti-U S propaganda b In or around February 2012 WITT appeared in one or more videos in which she Was identi ed as a U S veteran and made statements that were critical of the U S government lmowing these videos would be broadcast by Iranian media outlets c In or around February 2012 co-conspirators did cause to be broadcast on Iranian television a ceremony during which WITT converted to Islam 1 On or about May 25 2012 WITT was warned by Federal Bureau of Investigation FBI Special Agents that she was a target for recruitment by Iranian 12 intelligence services In response WITT stated that if she ever returned to Iran she would refuse to provide any information pertaining to her work with AFOSI e In or around June 2012 Individual A traveled to the United States and hired WITT to work as her assistant in connection with the lming of an anti American propaganda lm that was later aired in Iran f In or around February 2013 WITT again traveled to Iran to attend another Hollywoodism conference g In or around February 2013 WITT met with members of the IRGC and identi ed herself as a U S veteran who was critical of the US- military and who desired to emigrate to Iran h In or around February 2013 while in Iran WITT appeared in one or more videos in which she was identi ed as a US veteran and made statements that were critical of the U S government knowing these videos would be broadcast by Iranian media outlets i Between in or around July 2012 and in or around August 2013 WITT communicated regularly with Individual A j 011 or about October 17 2012 Individual A wrote to WITT shouldi thank the sec of defense were well trained In response WITT wrote thank the sec of defense For me Well I loved the work and I am endeavoring to put the training I received to good use instead of evil Thanks for giving me the opportunity it On or about June 23 2013 WITT wrote to Individual A stating If all else fails I just may go public with a program and do like Snowden 1 On or about June 30 2013 WITT wrote to Individual A that she had gone to the Iranian embassy in Kabul Afghanistan and told all WITT continued They are 13 going to get back to me on if they can help me very soon before i leave I told them I am down to little choices and will be traveling to other areas to request assistance n1 On or about July 1 2013 Individual A wrote to WITT was talking to people until about 2 in the morning about your case I have several different channels working on it but to be honest wiLh one of them he said they got suspicious that on one hand you said had no money and on the other hand 11 going from country to country That same day WITT replied No matter what they are just going to be suspicious right I just hope I have better luck with Russia at this point are starting to get frustrated at the level of Iranian suspicion n On or about July 3 2013 WITT wrote Individual A think lean slip into Russia quietly if they help me and then I can contact wiltileaks from there without disclosing my location o On or about July 30 2013 Individual A wrote ARE YOU The name of the Iranian ambassador is Mr Shehr Doost His mobile is 009929 Right now he is not in Dushanbe but you are to call him at 7pm and then go and see him When you call him on the phone just say that you are the one who is suppose sic to see him today for a visa and that s it In response on or about July 31 2013 WITT wrote to Individual A Okay Quick update They are giving me money to head to Dubai I will wait to get the approval there and get it from the embassy in Dubai They are so kind even taking me to the airport p On or about August 12 2013 Individual A wrote to WTT Well I am looking into the Turkey situation This has been a dif cult situation one because of the timing a change in governments here and two because of your personal situation 14 history WITT responded am a little nervous though when it comes to Turkey as it is an extradition country If it weren't for my history I suppose I wouldn t require q 011 or about August 25 2013 WITT sent an email to Individual A containing bona des entitled My Bio and Job History Attached to the email was a typewritten narrative of bona tides and conversion narrative as well as a chronological listing of her work history and a copy of her Certi cate of Release or Discharge From Active Duty Form DD 214 Approximately nine minutes later on August 25 2013 Individual A forwarded the above described email and its attachments without comment to an email address associated with Iran r Between in or around July 2013 and on or about August 28 2013 WITT conducted multiple searches on Faeebook for the names of her forrner fellow counterintelligenee agents including USG Agent 1 and the spouse of USG Agent 3 s On or about August 28 2013 wrote to mdividual A that she was about to board her ight from Dubai to Tehran stating I m signing off and heading out Coming home t On or about August 28 2013 defected to Iran 11 Beginning on or about August 28 2013 Iranian government officials provided WITT with goods and services including housing and computer equipment in order to facilitate her work on behalf of the Government of Iran v Beginning on or about August 28 2013 WITT disclosed to Iranian government of cials the code name and mission'of a US Department of Defense SAP to 15 wit the fact that PROJECT AIPROJECT involved U S intelligence operations against a speci c target which information was classi ed SECRET w Between in or around January 2014 and in or around May 2015 WITT conducted multiple Facebook searches for USG Agents using Faceboolc accounts registered to various ctitious individuals Between in or around January 2014 and in or around May 2015 WITT created target packages for use by Iran against USG Agents including USIC counterintelligence of cers y Between in or around January 2014 and in or around May 2015 WITT disclosed the true name of USG Agent 1 and the fact that USG Agent I conducted counterintelligence activities against a speci c target which information was classi ed SECRET Conspiracy to Transmit National Defense Information to a Representative of a Foreign Government in violation of Title 18 United States Code Section 794 c 16 COUNT TWO Delivering National Defense Information to Representatives of a Foreign Government 46 The grand jury reallcges and incorporates by reference the General Allegations set forth in this Indictment and paragraphs 38 45 of Count One 47 Between in or around August 2013 and in or around December 2013 in Iran and elsewhere out of the jurisdiction of any particular State or district defendant MONICA ELFRIEDE with the intent and reason to believe that it was to be used to the injury of the United States and to the advantage of a foreign government speci cally Iran did knowingly and unlaw dly communicate deliver and transmit and attempt to communicate deliver and transmit to a foreign government speci cally Iran and to representatives of cers agents and employees thereof directly and indirectly information relating to the national defense of the United States speci cally the codename and mission of a US Department of Defense SAP to wit the fact that PROJECT NPROJECT involved US intelligence operations against a specific target which information was classi ed SECRET Communication or Transmission to Representatives Of cers and Employees of a Foreign Government With Intent That it Be Used to the Injury of the United States or to the Advantage of a Foreign Nation Information Relating to the National Defense in violation of Title 18 United States Code Section 794 a COUNT THREE Delivering National Defense Information to Representatives of a Foreign Government 48 The grand jury roalleges and incorporates by reference the General Allegations set forth in this Indictment and paragraphs 38 45 of Count One 49 Between in or around August 2013 and in or around May 2015 in Iran and elsewhere out of the jurisdiction of any State or district defendant MONICA ELFRIEDE WITT with the intent and reason to believe that it was to be used to the injury of the United States and to the advantage of a foreign government speci cally lran did lmowingly and unlawfully communicate deliver and transmit and attempt to communicate deliver and transmit to a foreign government speci cally Iran and to representatives of cers agents and employees thereof directly and indirectly information relating to the national defense of the United States speci cally the true name of USG Agent 1 and the fact that USG Agent I conducted counterintelligenee activities against a speci c target which information was classi ed SECRET Communication or Transmission to Representatives Of cers and Employees of a Foreign ISovernmentJ With Intent That it Be Used to the Injury of the United States or to the Advantage of a Foreign Nation Information Relating to the National Defense in violation of Title 13 United States Code Section 794 a 18 COUNT FOUR Conspiracy to Commit Computer Intrusions SD The grand jury realleges and incorporates by reference the General Allegations set forth in this indictment 51 Beginning in or around December 2014 and continuing until at least in or around May 2015 the Cyber Conspirators that is MOJTABA MASOUMPOUR BEHZAD MESRI HOSSEIN PARVAR and MOHAMAD PARYAR and other individuals whose identities are known and unknown to the grand ury knowingly and intentionally conspired to commit computer intrusions targeting current and former USG Agents Wavs Manner and Means of the vaer Conspiracy 52 It was a part of the conSpiracy that the Cyber Conspiratcrs did obtain computer and online infrastructure including virtual private servers email accounts and social media accounts and used this infrastructure to communicate with each other to contact targets and to transmit spearphishing emails and malware 53 It was further part of the conspiracy that the Cyber Conspirators did develop and obtain malware designed to capture a target s keystrokes access a computer s web camera and monitor other computer activity 54 It was further part of the conspiracy that the Cyber Conspirators did use ctitious and imposter personas to deceive their targets in their communications and the Cyber Conspirators did knowingly use without law il authority the names of other true persons including USG Agents and persons af liated with them to entice targets to engage with the Cyber Conspiratcrs online 55 It was further part of the conspiracy that after engaging online with a target the Cyber Conspirators would and did send links and attachments that when accessed by current and 19 former US counterintelligence agents were designed to deploy malware and establish covert persistent access to the recipient s computer and associated network Overt Acts 56 In lrtherance of the conspiracy and to effect the object thereof the Cyber Conspirators did commit the following overt acts - a On or about December 2 3 2014 registered an Iranian entity the identity of which is known to the United States and which on behalf of the IRGC conducted computer intrusions against targets inside and outside of the United States MESRI was the chief executive of cer of the Iranian entity which operated in many ways like a typical business or organization in that it disbursed regular salaries established work hours issued assignments and employed supervisors and managers whose identities are known to the United States b Beginning in or around December 2014 MESRI obtained computer infrastructure including virtual private servers for use in the eonSpiracy MESRI obtained the infrastructure from an Iranian individual whose identity is known to the United States and who had previously provided computer infrastructure to the IRGC The Cyber ConSpirators used the infrastructure to test the conspiracy s malware and gather information from target computers or networks c In or around December 2014 PARYAR entered into a contract with PARVAR and for PARYAR to procure and provide technical support for malware used in the conspiracy 20 The Bella Wood Persona d On or about January 5 2015 the Cyber Conspirators created an email account bella wood87@yahoo com and an associated Facebook account in the name of Bella Wood e On or about January 5 2015 the Cyber Conspirators using the Bella Wood Facebook account sent a Facebook friend request to USG Agent 2 who accepted the request At the time USG Agent 2 was deployed to Kabul Afghanistan as part of a US Central Command CENTCOM Joint Intelligence Unit While in Afghanistan USG Agent 2 accessed acebook through a U S Department of Defense server while using a U S governmant computer issued by CENTCOM- USG Agent 2 also accessed Faceboolc using personal devices that connected to the Internet via wireless networks controlled and hosted by the US Department of Defense f On or 'about January 9 2015 the Cyber Conspirators using the account sent an email to USG Agent 2 that stated Hello my dear invitation card sent to you by email I got this pretty card accept me as a kind friend This email contained a spoofed link that on its face purported to take a recipient to a pretty car Had USG Agent 2 clicked the pretty card link USG Agent 2 s computer would have been directed not to a greeting card but to a server controlled by the Cyber Conspirators The Cyber Conspirators sent the pretty ear email to USG Agent 2 utilizing covert tracking software so that when USG Agent 2 opened the email the tracking software allowed the Cyber Conspirators to confirm that USG Agent 2 had opened the email via a US Department of Defense computer network located in Kabul Afghanistan 21 g On or about January 9 2015 the Cyber Conspirators using the account sent another email to USG Agent 2 intended to induce USG Agent 2 to click on certain links The body of the email stated I ll send you a le including my photos but should deactivate your anti virus to open it because i designed my photos with a photo album so ware I hope you enjoy the photos i designed for the new year they should be opened in your computer honey Although not apparent to the recipient clicking one of the links in this email would cause the recipient s computer to connect to a server controlled by the Cyber Conspirators The USG Agent 3 Imposter Account h 011 or about March 8 2015 the Cyber ConsPirators created an imposter Facebook account under the true name of USG Agent 3 hereinafter referred to as the Imposter Account The Cyber Conspirators designed the hnposter Account using information and photos taken from a legitimate Facebook account maintained by USG Agent 3 1 On or about March 15 2015 the Cyber Conspirators using the repeater Account sent a Facebook friend request to USG Agent 1 who accepted the request 011 or about the same day the hnposter Account sent USG Agent 1 a message with an attachment that appeared by its name to be a jpg image le The attachment was in fact a zip le containing malware Had USG Agent 1 opened that le it would have launched malware that would have provided the Cyber Conspirators with covert persistent access on USG Agent l s computer and any associated network j 011 or about March 8 2015 the Cyber Con3pirators using the Imposter Account sent a friend request to USG Agent 4 who believing the Imposter Account to be legitimate accepted the request it On or about March 12 2015 the Cyber Conspirators using the Imposter Account sent a message to USG Agent 4 asking for help opening a photo album that the Imposter Account claimed would not run on her laptop USG Agent 4 having learned that the Imposter Account was not legitimate defriended the account 1 On or about March 10 2015 the Cyber Conspirators having designed the lmposter Account to appear legitimate caused USG Agent 5 to friend the Imposter Account and thereafter to vouch for the lmposter Account by adding it to a private Faceboolc group composed primarily of USG Agents By joining the group the Cyber Conspirators obtained greater access to information regarding USG Agents n1 On or about May it 2015 the Cyber Conspirators using the Imposter Account sent separate messages to USG Agents 2 6 7 and 8 Each of the messages contained a link that appeared to be associated with an international news outlet and in sending the link the Cyber Conspirators asked if the article was about the recipient If clicked the link would have directed the recipients to a page controlled by the Cyber Conspirators Messages 11 On or about May 17 2015 the Cyber ConSpirators designed a fake email message that on its face appeared to come from USG Agent 7 with an email address that contained the true name of Agent 7 followed by which is a USG domain name The Cyber Conspirators purpose in designing this type of fake email was to deceive recipients into believing that they had received an email from USG Agent 7 when in fact the message had been sent by the Cyber Conspirators 23 o On or about May 22 2015 the Cyber Conspirators designed another fake email that on its face appeared to originate from with the subject Reset Password and a message that was designed to trick the recipient into unwittingly providing his or her true Facebook account credentials to the Cyber Conspirators Conspiracy to Commit Computer Intrusions in violation of Title 18 United States Code Sections 371 and 1030 24 COUNT FIVE Attempt to Commit a Computer Intrusion Causing Damage The grand jury realleges and incorporates by reference the General Allegations set forth in this Indictment and paragraphs 51 56 of Count Four 58 From in or around December 2014 to at least in or around May 2015 MESRI PARVAR and PARYAR and other individuals whose identities are known and unknown to the grand jury aiding and abetting each other and others without authorization knowingly attempted to cause the transmission of pro grams information codes and commands to wit an attachment that was designed to connect to a server and install malware capable of establishing covert persistent access by MASOUMPOUR PARVAR and PARYAR on the computer and associated network of the intended recipients who were USG Agents and as a result of such conduct intentionally attempted to cause damage without authorization to protected computers and where the offense did cause and would if completed have caused loss aggregating at least $5 000 in value to at least one person during a one-year period from a related course of conduct affecting a protected computer damage affecting a computer used by or for an entity of the United States government in furtherance of the administration of justice national defense or national security and damage affecting at least 10 protected computers during a one-year period Attempt to Commit a Computer Intrusion Causing Damage to a Protected Computer in violation of Title 18 United States Code Sections 1030 a 5 A 8 ii and 2 COUNT SIX Attempt to Commit a Computer Intrusion Obtaining Information 59 The grand jury realleges and incorporates by reference the General Allegations set forth in this Indictment and paragraphs 5 l-56 of Count Four 60 From in or around December 2014 to at least in or around May 2015 MASOUMPOUR NIESRI PARVAR and PARYAR and other individuals whose identities are known and unknown to the grand jury aiding and abetting each other and others without authorization intentionally attempted to access a computer without authorization in order to obtain information from a protected computer and from a department and agency of the United States the value of which information exceeded $5 000 Attempt to Commit a Computer Intrusion Obtaining Information From a Protected Computer in violation of Title 18 Unites States Code Sections 1030 a 2 B C and 2 26 SEVEN Aggravated Identity Theft 6 The grandjury realleges and incorporates by reference the General Allegations set forth in this Indictment and paragraphs 51-56 of Count Four 62 From in or around December 2014 to at least in or around May 2015 MASOUMPOUR MESRJ PARVAR and PARYAR and other individuals whose identities are known and unknown to the grand jury aiding and abetting each other and others did knowingly transfer possess and use without lawful authority a means of identi cation of another person during and in relation to a felony violation enumerated under Title 18 United States Code Section 1028 c namely attempt to commit computer intrusion in violation of Title 18 United States Code Section 1030 knowing that the means ot'identi cation belonged to another real person Aggravated Identity Theft in Violation of Title 18 United States Code Sections 1028A a l 1028A b and 2 FOREPERSON 3Q Kilian rney of the United States in and for the District of Columbia