Full Report
Feds say trio conspired to siphon processor and cryptography IP, allegedly routing some data overseas Two former Google engineers and a third alleged accomplice are facing federal charges after prosecutors accused them of swiping sensitive chip and security technology secrets and then trying to cover their tracks when the scheme began to unravel.…
Analysis Summary
# Incident Report: Insider Theft of Semiconductor & Cryptography Trade Secrets
## Executive Summary
Two former Google engineers and an accomplice have been indicted for the coordinated theft of sensitive processor and cryptography trade secrets. The scheme involved the exfiltration of hundreds of files to unauthorized locations, including Iran, and deliberate attempts to obstruct justice. The incident was identified by internal Google security defenses, leading to a federal investigation and charges of conspiracy and trade secret theft.
## Incident Details
- **Discovery Date:** Approximately February 20, 2026 (Date of Federal Indictment)
- **Incident Date:** Chronology spans the duration of the defendants' employment (dates not fully specified)
- **Affected Organization:** Google and an unnamed technology company
- **Sector:** Technology / Semiconductor
- **Geography:** Silicon Valley, California, USA; data allegedly routed to Iran
## Timeline of Events
### Initial Access
- **Date/Time:** During the defendants' tenure as employees.
- **Vector:** Authorized Insider Access (Privileged Users).
- **Details:** Samaneh and Soroor Ghandali utilized their employee credentials to access repositories containing chip design and security IP.
### Lateral Movement
- **Details:** The defendants moved vertically and horizontally across internal document repositories and communication platforms to aggregate trade secrets from various departments.
### Data Exfiltration/Impact
- **Details:** Samaneh Ghandali allegedly transferred hundreds of internal files to a third-party communications platform. Soroor Ghandali transferred files to personal devices and systems. Some data was reportedly routed to overseas locations, including Iran.
### Detection & Response
- **Detection:** Google’s internal security monitoring and "enhanced safeguards" flagged the suspicious activity.
- **Response Actions:** Google alerted the FBI/DOJ once the activity was confirmed; a federal investigation led to charges of conspiracy, theft of trade secrets, and obstruction of justice.
## Attack Methodology
- **Initial Access:** Valid employee credentials (Engineers).
- **Persistence:** Legitimate employment status allowed repeated access over time.
- **Privilege Escalation:** Not applicable; utilized existing high-level access to sensitive IP.
- **Defense Evasion:** Use of third-party communication platforms, "off-path" transfer methods (photographing screens to avoid digital logs), destruction of records, and false statements.
- **Credential Access:** Misuse of assigned corporate identities.
- **Discovery:** Internal search and reconnaissance of Google’s trade secret repositories.
- **Lateral Movement:** Movement within internal cloud/collaboration environments.
- **Collection:** Aggregation of files related to processor security and cryptography.
- **Exfiltration:** Transfer to external messaging apps, personal devices, and overseas entities.
- **Impact:** Compromise of national security-linked technology and critical intellectual property.
## Impact Assessment
- **Financial:** Massive R&D loss; legal fees and investigation costs.
- **Data Breach:** Hundreds of sensitive files, including chip security and cryptographic secrets.
- **Operational:** Potential loss of competitive advantage in the semiconductor market.
- **Reputational:** Public exposure of internal IP vulnerability, though mitigated by successful detection.
## Indicators of Compromise
- **Network indicators:** Data transfers to unauthorized third-party messaging platforms (e.g., hxxps[://]unauthorized-comms[.]com).
- **File indicators:** Mass download hits for specific "Trade Secret" tagged documentation.
- **Behavioral indicators:** Photographing of monitors (detected via physical security/internal monitoring); deletion of system logs/records; access of sensitive files unrelated to current tasks.
## Response Actions
- **Containment:** Termination of employee access and accounts.
- **Eradication:** Referral to the DOJ and FBI for criminal prosecution and asset seizure.
- **Recovery:** Implementation of "enhanced safeguards" to internal IP repositories (as cited by Google).
## Lessons Learned
- **Key takeaways:** Insider threats remain the most difficult to detect when they involve the "theft of trust" by high-level engineers.
- **Vulnerabilities:** Standard "Data Loss Prevention" (DLP) often fails when users resort to analog methods (photography) or third-party encrypted apps.
## Recommendations
- **Strict Data Segregation:** Implement "Need to Know" access controls for sensitive chip IP rather than broad engineering access.
- **Screen Watermarking:** Implement digital watermarking on sensitive documents to track "screen-sniping" or photography attempts.
- **Anomalous Behavior Analytics:** Deploy User and Entity Behavior Analytics (UEBA) to flag when engineers access or export volumes of data outside their specific project scope.
- **Enhanced Offboarding:** Conduct forensic reviews of high-value employees' activity during their final months of employment.