Full Report
A former U.S. Central Intelligence Agency (CIA) analyst has been sentenced to little more than three years in prison for unlawfully retaining and transmitting top secret National Defense Information (NDI) to people who were not entitled to receive them and for attempting to cover up the malicious activity. Asif William Rahman, 34, of Vienna, has been sentenced today to 37 months on charges of
Analysis Summary
# Incident Report: Insider Theft of Top Secret National Defense Information
## Executive Summary
A former CIA analyst, Asif William Rahman, illegally retained and transmitted Top Secret National Defense Information (NDI) to unauthorized recipients, including sensitive documents related to international military plans. The compromise was discovered following an investigation, leading to the analyst's termination and subsequent 37-month prison sentence after pleading guilty to willful retention and transmission of classified information.
## Incident Details
- Discovery Date: November (prior to arrest) / Ongoing investigation leading to sentencing in June 2025.
- Incident Date: October 17, 2024 (Date of unlawful retention and transmission).
- Affected Organization: U.S. Central Intelligence Agency (CIA).
- Sector: Government/Intelligence.
- Geography: United States operations (data removal) / Cambodia (arrest location).
## Timeline of Events
### Initial Access
- Date/Time: Prior to October 17, 2024 (Through authorized employment).
- Vector: Authorized, trusted insider access leveraging high-level security clearance.
- Details: Asif William Rahman, a CIA employee since 2016 with Top Secret clearance, retained multiple Secret and Top Secret documents without authorization.
### Lateral Movement
- **Data Transfer/Exfiltration Preparation:** On October 17, 2024, Rahman took the physical documents in a backpack to his residence. He then photographed the documents and used a computer program to edit the images, specifically to conceal the source of the documents and hide his trail. He then willfully sent these images to several unauthorized individuals.
### Data Exfiltration/Impact
- **Impact:** Classified information, including documents possibly detailing Israel's plans to attack Iran, was transmitted outside secure channels. The information began circulating online, notably posted on Telegram by the account "Middle East Spectator."
- **Cover-up Attempts:** Rahman engaged in a "deletion campaign of work product" on his computer, wiping roughly 1.5 GB of data from emails and personal folders, and edited journal entries to hide personal opinions related to U.S. policy.
### Detection & Response
- **Detection:** The activity was identified through ongoing security monitoring and investigation, leading to Rahman's termination and arrest in Cambodia in November [2024].
- **Response Actions:** Rahman was arrested, charged, prosecuted, and later pleaded guilty in January 2025. He was sentenced in June 2025 to 37 months in prison.
## Attack Methodology
- **Initial Access:** Insider threat exploiting authorized access and Top Secret security clearance.
- **Persistence:** Not applicable in the traditional sense, as the access was legitimate employment; however, the analyst retained the data illicitly for prolonged unauthorized possession.
- **Privilege Escalation:** Not applicable; the compromise relied on abusing existing high-level privileges.
- **Defense Evasion:** Used image editing software to conceal the source of the documents and deleted significant data (1.5 GB) from emails/folders and altered journal entries to hide malicious activity and personal motives.
- **Credential Access:** Not explicitly stated, but related to accessing classified files under clearance.
- **Discovery:** N/A - This was an unauthorized insider action, not external discovery/reconnaissance.
- **Lateral Movement:** Physical removal of documents (backpack) followed by digital transfer (photographs sent to unauthorized parties).
- **Collection:** Retention and photographing of Secret and Top Secret NDI.
- **Exfiltration:** Transferring the photographed images to external, unauthorized parties who did not possess the necessary clearance.
- **Impact:** Dissemination of critical National Defense Information leading to international exposure.
## Impact Assessment
- **Financial:** Not explicitly stated, but significant costs associated with investigation, prosecution, and remediation are implied.
- **Data Breach:** Retention and transmission of multiple Secret and Top Secret National Defense Information (NDI) documents.
- **Operational:** Disruption to the intelligence agency stemming from the breach of trust and compromise of classified operations.
- **Reputational:** Significant reputational damage to the CIA and U.S. intelligence capabilities due to the public exposure of classified data regarding allied military plans.
## Indicators of Compromise
- **Network indicators:** Transmission of images via external channels (later posted on Telegram). (Specific IPs/URLs are not detailed or required for defanging here as the core action was physical removal followed by digital sharing).
- **File indicators:** Edited image files containing classified data; 1.5 GB data wipe targeted documents/emails/journals.
- **Behavioral indicators:** Unauthorized removal of physical classified material; utilization of image editing software to mask data origin; organized deletion campaign on primary system; attempts to conceal personal opinions related to the activity.
## Response Actions
- **Containment measures:** Termination of employment and prompt arrest of the suspect (Asif William Rahman) in November [2024]. Monitoring of disclosed information circulation online (e.g., Telegram).
- **Eradication steps:** Forensic analysis of the analyst's computer systems leading to the discovery of the deletion campaign and transmission evidence.
- **Recovery actions:** Legal prosecution resulting in a 37-month sentence and public statement reinforcing the commitment of investigators.
## Lessons Learned
- Insider threat remains a critical vulnerability, even with high-level security clearances in place.
- Data loss prevention (DLP) mechanisms must be robust enough to detect large-scale physical removal followed by preparation for digital exfiltration (e.g., photographing sensitive materials).
- The speed of identification, arrest, and prosecution is essential to mitigate long-term damage from insider threats.
## Recommendations
- Enhance physical security protocols surrounding the handling and removal of classified materials, even for personnel with high clearance.
- Implement advanced monitoring of employee workstations for unusual patterns in the use of camera/scanning applications combined with bulk file deletion/editing activities targeting work products.
- Mandatory refresher training focused on the legal and national security consequences of unauthorized data retention and transmission, reinforced within the context of real-world consequences (like the resulting prison sentence).