Full Report
Today’s reminder of the insider threat, from the U.S. Attorney’s Office for the Eastern District of Virginia: ALEXANDRIA, Va. – A U.S. Department of State (DOS) employee was sentenced today to four years in prison for conspiring to collect and transmit national defense information to individuals he knew to be working for the government of... Source
Analysis Summary
# Incident Report: Insider Theft of National Defense Information at the Department of State
## Executive Summary
A U.S. Department of State (DOS) employee, Michael Charles Schena, was sentenced for conspiring to transmit national defense information (NDI) classified up to the SECRET level to individuals suspected of working for the government of the People’s Republic of China (PRC). The incident involved unauthorized data collection over several months using a provided mobile device, leading to the employee's arrest by the FBI and subsequent sentencing.
## Incident Details
- **Discovery Date:** February 2025 (when FBI seized the device and stopped transmission)
- **Incident Date:** Beginning April 2022, escalating with document transmission in October 2024 and February 2025.
- **Affected Organization:** U.S. Department of State (DOS)
- **Sector:** Government/Federal/Intelligence
- **Geography:** Alexandria, Virginia (employee location); Peru (meeting location)
## Timeline of Events
### Initial Access
- **Date/Time:** Beginning in April 2022
- **Vector:** Online communication/Social Engineering leading to a relationship with foreign agents.
- **Details:** Michael Schena began communicating with individuals online who represented themselves as employees of international consulting firms, despite Schena believing they worked for the PRC.
### Lateral Movement
* **(N/A):** This was an insider data exfiltration event, not traditional network lateral movement. Access was based on established employment privileges.
### Data Exfiltration/Impact
- **October 2024:** Schena photographed and transmitted at least four classified documents (SECRET level NDI) containing national defense information.
- **February 2025:** Surveillance captured Schena photographing seven additional SECRET documents using a specialized cellphone; however, FBI agents seized the device before the transmission was completed.
### Detection & Response
- **Detection:** Surveillance monitoring by the FBI indicated the transmission of classified materials via a specialized cellphone provided during a meeting in Peru.
- **Response Actions:** FBI agents seized the cellphone intended for transmission in February 2025. Schena was later arrested. The case resulted in a federal sentencing, where Schena received four years in prison.
## Attack Methodology
- **Initial Access:** Assumed legitimate access via authorized employment at the Department of State with a Top Secret security clearance.
- **Persistence:** Maintained relationship with foreign handlers over an extended period (April 2022 until arrest).
- **Privilege Escalation:** N/A (Insider threat leveraging existing clearance).
- **Defense Evasion:** Used personal methods (digital photography) to capture and stage data exfiltration, utilizing a communication device explicitly provided by the handlers.
- **Credential Access:** N/A (Access was authorized via employment).
- **Discovery:** N/A (Insider utilized authorized access to discover/access NDI).
- **Lateral Movement:** N/A (No observed network movement).
- **Collection:** Photography of classified documents (at least 11 SECRET NDI documents documented).
- **Exfiltration:** Attempted transmission of photographs using a cell phone provided by handlers in August 2024.
- **Impact:** Transmission of National Defense Information (NDI) to suspected agents of a foreign adversary (PRC).
## Impact Assessment
- **Financial:** Not specified in the report, though substantial investigation and legal costs were incurred by the US government.
- **Data Breach:** Classified National Defense Information (NDI), stated to be at the SECRET level. The specific volume/content is not detailed beyond the number of documents (11 documented instances).
- **Operational:** Compromise of the integrity and security protocols surrounding classified information within the DOS.
- **Reputational:** Damage to the integrity of DOS personnel, highlighted publicly by the Department of Justice and FBI statements.
## Indicators of Compromise
- **Network Indicators:** Use of a non-government-issued cellphone for communications/data transfer (Defanged: [cellphone provided in Peru]).
- **File Indicators:** Photographs of classified documents marked SECRET NDI.
- **Behavioral Indicators:** Communication with individuals believed to be agents of the PRC; accepting cash payment ($10,000 in Peru); accepting communication hardware from handlers.
## Response Actions
- **Containment Measures:** Seizure of the dedicated communication device (cellphone) in February 2025 before the planned transmission could occur.
- **Eradication Steps:** Arrest and successful prosecution of the employee, Michael Schena.
- **Recovery Actions:** Not explicitly detailed, assumed to include reviews of access privileges and potentially a compromise assessment related to the stolen/transmitted files.
## Lessons Learned
- The threat of insider compromise, even from trusted personnel with high-level clearances (Top Secret), remains a significant security risk.
- Close monitoring of financial conduct and unusual relationships in personnel entrusted with NDI is crucial.
- The physical method chosen for exfiltration (photography via dedicated device) bypassed standard network security monitoring for transmissions, highlighting the gap between network defense and physical access controls.
## Recommendations
- Enhance continuous vetting and monitoring of personnel holding Top Secret clearance, focusing on financial vulnerabilities and undisclosed foreign associations.
- Implement stricter controls around the use of personally obtained or foreign-provided electronic devices when personnel are in secure facilities or handling classified materials.
- Conduct mandatory, recurring security training emphasizing the specific compromises associated with monetary gain and foreign intelligence recruitment tactics.