Full Report
A former analyst working for the U.S. Central Intelligence Agency (CIA) pleaded guilty to transmitting top secret National Defense Information (NDI) to individuals who did not have the necessary authorization to receive it and attempted to cover up the activity. Asif William Rahman, 34, of Vienna, was an employee of the CIA since 2016 and had a Top Secret security clearance with access to
Analysis Summary
This provided article describes two distinct security incidents. As an Incident Response Analyst, I will structure the summary for the **first primary incident** detailed (the Ex-CIA Analyst case) as requested, as the second incident (Philippines espionage) is separate and unrelated in context to the primary focus on the CIA analyst's actions.
***
# Incident Report: Unauthorized Transmission of Top Secret NDI by Former CIA Analyst
## Executive Summary
A former CIA analyst, Asif William Rahman, pleaded guilty to unlawfully retaining and transmitting Top Secret National Defense Information (NDI) to unauthorized individuals over several months in 2024. The attack vector was primarily physical removal and subsequent digital reproduction/transmission from his residence, ultimately leading to the leak of sensitive operational details onto social media platforms like Telegram. The incident resulted in a significant national security breach and required federal investigation and coordination.
## Incident Details
- **Discovery Date:** While the exact discovery date is not specified, charges were filed in November 2024, and internal monitoring/investigation presumably occurred prior to that.
- **Incident Date:** Initial unauthorized access and printing occurred in the spring of 2024; critical transmission occurred on or about October 17, 2024.
- **Affected Organization:** U.S. Central Intelligence Agency (CIA)
- **Sector:** Government/Intelligence
- **Geography:** Vienna, Virginia (Residence/Workplace – Eastern District of Virginia)
## Timeline of Events
### Initial Access
- **Date/Time:** Spring of 2024 (initial unauthorized printing).
- **Vector:** Physical removal of documents from the secure workplace.
- **Details:** Rahman accessed and printed approximately five documents classified as Secret and Top Secret from his workstation and transported them off-site to his residence concealed in a backpack.
### Lateral Movement
- **Details:** The attacker did not move laterally across the CIA network. Movement was **physical** (workstation to residence) and **digital** (reproduction and transmission of data from his personal environment).
### Data Exfiltration/Impact
- **Details:** Rahman reproduced the documents at home, deliberately altered them to conceal the source, and communicated Top Secret information verbally and transmitted reproductions of Secret/Top Secret documents to unauthorized individuals. On October 17, 2024, he photographed two Top Secret documents relating to a planned kinetic action by a U.S. ally against a foreign adversary and shared them after editing the images. These documents appeared on social media (Telegram) on October 18, 2024.
### Detection & Response
- **Details:** The FBI investigated the matter. Rahman was charged in November 2024. He subsequently pleaded guilty to two counts of willful retention and transmission of classified information.
## Attack Methodology
- **Initial Access:** Unauthorized physical removal of classified documents from the workplace.
- **Persistence:** Not applicable in the traditional sense, as access was physical at the time of data removal; subsequent persistence was maintained through holding the illegally obtained data.
- **Privilege Escalation:** Not applicable; the analyst exploited existing **Top Secret/SCI clearance** and authorized workstation access.
- **Defense Evasion:** Altering reproduced documents to conceal their source, deleting files, and altering journal entries on personal devices to create a false, benign narrative.
- **Credential Access:** Not applicable; used existing authorized credentials to access documents.
- **Discovery:** Reconnaissance appears to have been internal (accessing relevant classified documents).
- **Lateral Movement:** Physical transport of materials off-site.
- **Collection:** Printing, photographing, and editing classified physical documents.
- **Exfiltration:** Transfer of digital reproductions and verbal communication to external, unauthorized parties.
- **Impact:** Dissemination of classified national defense plans (specifically, kinetic action plans involving an ally) onto public platforms, causing potential international fallout.
## Impact Assessment
- **Financial:** Not specified in the provided text, though investigation costs would be significant.
- **Data Breach:** Top Secret NDI and Secret documents, including specific details regarding an ally's planned kinetic military actions against a foreign adversary.
- **Operational:** High-level compromise of information security protocols within the intelligence community; necessitated emergency remediation and communication measures globally.
- **Reputational:** Significant damage to the CIA's trust mechanisms and operational security posture.
## Indicators of Compromise
*Note: Since this was an insider threat involving physical removal, many traditional network IoCs are irrelevant. Behavioral IoCs are key.*
- **Network indicators:** None listed (data moved digitally from a non-agency location).
- **File indicators:** Edited images/reproductions of classified NDI circulating externally.
- **Behavioral indicators:** Unauthorized printing exceeding security guidelines, physical removal of classified materials in a backpack, subsequent use of personal devices to digitally alter and transmit documents.
## Response Actions
- **Containment measures:** Investigation, arrest, and legal detention of the subject (Rahman).
- **Eradication steps:** Seizure of personal electronic devices; legal pressure leading to a guilty plea.
- **Recovery actions:** Forensic analysis of affected documentation and systems; reinforcing physical and digital security protocols for handling SCI/TS materials.
## Lessons Learned
- **Key takeaways:** Insider threat capabilities, even within highly trusted roles with SCI clearance, remain a significant vulnerability. Physical security controls around document handling (printing and removal) failed.
- **What could have been done better:** Enhanced automated monitoring of printing activities correlated with off-site data movement/device usage might have detected the behavior sooner.
## Recommendations
- Implement strict DLP/monitoring on all classified printers, cross-referencing print jobs with personnel access logs.
- Increase frequency and rigor of behavioral anomaly detection systems targeting employees with high-level clearances who handle physical documents.
- Mandate the use of agency-issued, monitored personal devices for document reproduction/editing activities, eliminating the risk associated with off-site personal systems.