Full Report
Two former Google engineers and one of their husbands have been indicted in the U.S. for allegedly committing trade secret theft from the search giant and other tech firms and transferring the information to unauthorized locations, including Iran. Samaneh Ghandali, 41, and her husband Mohammadjavad Khosravi (aka Mohammad Khosravi), 40, along with her sister Soroor Ghandali, 32, have been accused
Analysis Summary
# Incident Report: Insider Theft of Trade Secrets by Former Google Engineers
## Executive Summary
Two former Google engineers and an associate were indicted for the systemic theft of highly sensitive trade secrets related to mobile processor technology and cryptography. The stolen data was exfiltrated to unauthorized personal accounts, shared devices at rival firms, and accessed from Iran. The defendants attempted to obstruct justice through false affidavits and the destruction of evidence before their arrest in February 2026.
## Incident Details
- **Discovery Date:** August 2023
- **Incident Date:** Circa 2023 – December 2023
- **Affected Organization:** Google, "Company 2," and "Company 3"
- **Sector:** Technology / Semiconductor / Mobile Hardware
- **Geography:** San Jose, California, USA; Iran
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-August 2023
- **Vector:** Authorized Insider Access
- **Details:** Samaneh Ghandali and Soroor Ghandali utilized their legitimate employment credentials at Google to access confidential processor and cryptography trade secrets.
### Lateral Movement
- **Details:** While traditional network lateral movement was not reported, the defendants moved data across corporate boundaries by transferring files from Google environments to work devices at "Company 2" and "Company 3" (the defendants' subsequent/diverse employers).
### Data Exfiltration/Impact
- **Details:** Hundreds of files, including trade secrets for the **Tensor processor**, were transferred to a third-party communications platform. Data was subsequently copied to personal devices, photographed manually from computer screens, and accessed while the defendants were physically located in Iran.
### Detection & Response
- **August 2023:** Google’s internal security systems detected Samaneh Ghandali’s suspicious activity.
- **August 2023:** Google revoked Samaneh Ghandali’s access and initiated an investigation.
- **December 2023:** Surveillance/logs tracked the manual photography of Company 2 screens and the subsequent access of that data from Iran.
- **February 19, 2026:** Federal authorities arrested all three defendants in San Jose.
## Attack Methodology
- **Initial Access:** Legitimate employee credentials (Insider Threat).
- **Persistence:** Not applicable; relied on ongoing employment and personal device storage.
- **Privilege Escalation:** Abuse of authorized access to sensitive repositories.
- **Defense Evasion:** Manual photography of screens (air-gapping data to avoid digital logs), submitting false affidavits to legal teams, searching for instructions on how to delete communication logs, and destroying files/devices.
- **Credential Access:** Utilization of assigned corporate credentials.
- **Discovery:** Authorized internal search of Google and Company 2 repositories.
- **Lateral Movement:** Physical and digital transfer of data between different corporate environments.
- **Collection:** Aggregation of trade secrets onto a third-party messaging platform with dedicated channels for the conspirators.
- **Exfiltration:** Transfer to third-party messaging apps, personal cloud/devices, and manual screen photography.
- **Impact:** Significant loss of intellectual property related to chip security and phone processors.
## Impact Assessment
- **Financial:** Potentially millions in R&D value; defendants face fines of $250,000 per count.
- **Data Breach:** High-volume theft of trade secrets, including Tensor processor architecture and cryptographic security.
- **Operational:** Disruption to hardware development roadmaps and security integrity of the mobile processors.
- **Reputational:** Increased concern regarding insider threats within Silicon Valley's Iranian-American engineering community and broader supply chain security.
## Indicators of Compromise
- **Network indicators:** Access to unauthorized third-party communication platforms (e.g., messaging apps) from corporate workstations.
- **File indicators:** Unauthorized transfer of files related to "Tensor" or "Cryptography" to non-corporate storage.
- **Behavioral indicators:** Employees searching for "how to delete messages for court," "cell provider log retention," and accessing sensitive files shortly before international travel to high-risk jurisdictions.
## Response Actions
- **Containment:** Revocation of Samaneh Ghandali’s access to all company resources in August 2023.
- **Eradication:** Law enforcement seizure of devices and deletion of unauthorized file copies (as part of the criminal investigation).
- **Recovery:** Enhancement of Google's internal safeguards and monitoring for confidential information.
## Lessons Learned
- **Deterrence Gap:** Affidavits and legal warnings are insufficient to stop committed insiders; technical controls must be the primary defense.
- **The "Analog Hole":** Digital DLP (Data Loss Prevention) cannot easily stop an employee from taking physical photographs of a screen.
- **Travel Risk:** Large-scale data access or "clearing of files" immediately preceding international travel is a major red flag.
## Recommendations
- **Implement User and Entity Behavior Analytics (UEBA):** To flag unusual patterns of data access that deviate from daily roles.
- **Strict Data Segregation:** Implement just-in-time (JIT) access for highly sensitive trade secrets like processor schematics.
- **Enhanced Monitoring for High-Risk Jurisdictions:** Trigger alerts when employees with sensitive access communicate with or travel to countries with high corporate espionage risks.
- **Screen Watermarking:** Implement forensic watermarking on sensitive documents to discourage and track manual photography of screens.