Full Report
CIA analysts Asif William Rahman has pleaded guilty to sharing classified documents about an Israeli attack
Analysis Summary
# Incident Report: Unauthorized Disclosure of Top Secret CIA Documents by Insider
## Executive Summary
A former CIA analyst, Asif William Rahman, gained unauthorized access to and exfiltrated top secret classified documents, including sensitive information regarding Israeli military plans. The incident was discovered following the subsequent online publication of the documents on social media. The analyst pleaded guilty to willfully retaining and transmitting classified information, resulting in significant geopolitical embarrassment and subsequent legal action.
## Incident Details
- **Discovery Date:** Shortly after November 19, 2024 (when documents appeared on social media).
- **Incident Date:** Begins around October 1, 2024 (related to the underlying event the documents cover), with unauthorized access and printing occurring around November 18, 2024.
- **Affected Organization:** Central Intelligence Agency (CIA) / United States Government.
- **Sector:** Intelligence / Government.
- **Geography:** Vienna, location of the analyst, United States jurisdiction.
## Timeline of Events
### Initial Access
- **Date/Time:** On or before November 18, 2024.
- **Vector:** Insider threat utilizing authorized employee access (a CIA employee since 2016).
- **Details:** The analyst "repeatedly" accessed and printed out classified documents, including two top secret documents concerning Israel’s military plans against Iran post-October 1 strike.
### Lateral Movement
- **Details:** The nature of the compromise suggests internal network access was leveraged to locate and print the specific documents. No significant external lateral movement is described.
### Data Exfiltration/Impact
- **Details:** The analyst took the printed documents home, altered them to conceal their source, and then shared them on social media (around November 19, 2024). The primary impact was the unauthorized disclosure of top secret intelligence.
### Detection & Response
- **How it was discovered:** The publication of the altered documents on social media alerted authorities.
- **Response actions taken:** The analyst was indicted by a grand jury on November 7, 2024 (Note: This timeline appears contradictory/misstated in the source; the arrest followed indictment), arrested by the FBI on November 12, 2024, as he arrived at work, and has remained in custody since. He subsequently pleaded guilty.
## Attack Methodology
- **Initial Access:** Insider access, authorized credentials used to access classified material.
- **Persistence:** Not applicable in the traditional sense, as the access was legitimate, though the intent to retain and disseminate was malicious.
- **Privilege Escalation:** Not described; the analyst operated within their existing access levels.
- **Defense Evasion:** The analyst attempted to conceal the source of the documents by altering them before publication. They also deleted and edited published content and drafted "journal" entries to construct a false narrative.
- **Credential Access:** Not applicable beyond the analyst leveraging their own credentials.
- **Discovery:** Physical access to documents used to bypass digital monitoring (printing).
- **Lateral Movement:** Not applicable.
- **Collection:** Printing and physically removing documents.
- **Exfiltration:** Physical removal of paper documents taken home, followed by digital publication on social media.
- **Impact:** Disclosure of national defense information, geopolitical embarrassment for the US and its allies.
## Impact Assessment
- **Financial:** Not disclosed in the report.
- **Data Breach:** Two top secret documents regarding Israel’s military plans against Iran were disclosed.
- **Operational:** Significant failure in insider risk management and physical document control within the CIA.
- **Reputational:** Major embarrassment for the Pentagon and US intelligence community, especially revealing surveillance efforts targeting a nominal ally during a high-tension geopolitical period.
## Indicators of Compromise
- **Network indicators - defanged:** Unauthorized posting of classified material on public social media platforms (specific URLs were not provided/defanged).
- **File indicators:** Altered, printed classified documents concerning Israeli military plans.
- **Behavioral indicators:** Repeatedly accessing and printing classified material outside normal procedure, subsequent efforts to fabricate a cover story (journal entries), and destruction of personal electronic devices (smartphone/router) used to upload data.
## Response Actions
- **Containment measures:** The analyst was immediately taken into custody (arrested on Nov 12, 2024).
- **Eradication steps:** Not detailed, though likely involved revoking all system access and potential forensic imaging of remaining devices/systems.
- **Recovery actions:** Legal proceedings concluded with a guilty plea. Remediation efforts focus on policy/procedural fixes to prevent recurrence.
## Lessons Learned
- The case highlights severe vulnerabilities related to physical document handling (printing and removal) by trusted personnel, similar to the Jack Teixeira case.
- The CIA's internal security protections failed to prevent repeated unauthorized access and exfiltration of Top Secret material by an employee.
- The analyst demonstrated calculated efforts to obscure their actions both digitally and through fabricated narratives.
## Recommendations
- Implement enhanced monitoring and auditing of physical print jobs for classified materials, especially for sensitive compartments.
- Review and tighten physical access controls and procedures for removing hard copies of classified intelligence from secure facilities.
- Strengthen behavioral analytics to detect anomalies in an insider's work patterns leading up to a large-scale exfiltration attempt.