Full Report
A federal grand jury indicted three Silicon Valley engineers on charges of stealing trade secrets from Google and other technology companies and transferring sensitive data to Iran, prosecutors said Thursday. Samaneh Ghandali, 41, her sister Soroor Ghandali, 32, and Mohammadjavad Khosravi, 40 — all residents of San Jose — were arrested Thursday and appeared in…
Analysis Summary
# Threat Actor: Samaneh Ghandali, Soroor Ghandali, and Mohammadjavad Khosravi
## Attribution & Identity
**Actor Identification:** Three Silicon Valley engineers and Iranian nationals.
- **Samaneh Ghandali (41):** U.S. citizen and resident of San Jose.
- **Soroor Ghandali (32):** Sister of Samaneh, resident of San Jose, present in the U.S. on a nonimmigrant student visa.
- **Mohammadjavad Khosravi (40):** Husband of Samaneh, resident of San Jose, U.S. legal permanent resident, and former member of the Iranian army.
**Associated Groups:** While no specific Advanced Persistent Threat (APT) group name was explicitly cited in the article, the actors were indicted for transferring sensitive data and trade secrets to **Iran**.
## Activity Summary
February 2026: A federal grand jury indicted the three individuals for the theft of trade secrets from Google and other technology companies. The operation involved the unauthorized acquisition of sensitive proprietary data and the subsequent transfer of that information to Iranian interests. The defendants were arrested on Thursday, February 19, 2026, following a federal investigation.
## Tactics, Techniques & Procedures
As internal employees/residents, the actors utilized "Insider Threat" methodologies:
- **Insider Threat / Trade Secret Theft:** Leveraging legitimate access to corporate systems to exfiltrate proprietary information.
- **Data Exfiltration:** Transferring sensitive technological data to a foreign nation (Iran).
- **Abuse of Employment/Visa Status:** Utilizing professional positions within Silicon Valley firms to facilitate industrial espionage.
**Possible MITRE ATT&CK IDs:**
- **T1078 (Valid Accounts):** Using authorized access granted via employment.
- **T1567 (Exfiltration Over Web Service):** Transferring sensitive data out of the corporate environment.
## Targeting
- **Sectors:** Information Technology, Software, and Semiconductor/Hardware.
- **Geography:** United States (Silicon Valley, California) and Iran (Recipient).
- **Victims:** Google and other unnamed technology companies.
## Tools & Infrastructure
The article does not specify custom malware or C2 infrastructure, as the activity focused on the misuse of legitimate access (insider threat).
- **Infrastructure:** Internal corporate networks and servers of Google and Silicon Valley tech firms.
- **Defanged Links:** hxxps[://]threatbeat[.]com/three-silicon-valley-engineers-charged-with-stealing-google-trade-secrets-and-sending-data-to-iran/
## Implications
This case highlights the persistent threat of industrial espionage conducted by "insider threats" acting on behalf of foreign adversaries. The strategic focus on trade secrets indicates an objective by the Iranian state to bridge technological gaps and gain competitive advantages in the software and AI sectors by bypassing R&D costs. It also underscores vulnerabilities in the vetting and continuous monitoring of employees with access to high-value intellectual property.
## Mitigations
- **User and Entity Behavior Analytics (UEBA):** Implement systems to detect anomalous data access or large file transfers by employees.
- **Data Loss Prevention (DLP):** Deploy DLP solutions to monitor and block the transmission of sensitive trade secrets to external/personal accounts or unauthorized jurisdictions.
- **Principle of Least Privilege:** Restrict access to highly sensitive trade secrets to the minimum number of personnel required.
- **Enhanced Insider Threat Programs:** Conduct rigorous background checks and continuous monitoring of employees with access to critical intellectual property, particularly those with links to foreign military or government entities.