How did Google detect the unauthorized access to its trade secrets?

Google's internal security systems flagged suspicious activity in August 2023, leading to an internal investigation that uncovered the unauthorized access and transfer of confidential files.

What are the potential legal consequences for the defendants if convicted?

Each defendant faces up to 10 years in prison per trade secret charge and up to 20 years for obstruction of justice, along with fines of up to $250,000 per charge.

Google Engineers Indicted for Trade Secret Theft to Iran

In February 2026, three Silicon Valley engineers were indicted for allegedly stealing trade secrets from Google and transferring them to unauthorized locations, including Iran.

Published: February 20, 2026

Share this on:

Executive Summary

In February 2026, three Silicon Valley engineers—Samaneh Ghandali, her sister Soroor Ghandali, and her husband Mohammadjavad Khosravi—were indicted for allegedly stealing trade secrets from Google and other technology companies and transferring them to unauthorized locations, including Iran. The trio exploited their positions to access sensitive data related to processor security and cryptography, transferring hundreds of confidential files to personal devices and third-party platforms. Their actions were detected by Google's internal security systems in August 2023, leading to an internal investigation and subsequent legal action. This incident underscores the persistent threat of insider attacks in the tech industry, highlighting the need for robust internal security measures and vigilant monitoring to protect intellectual property. The case also reflects broader concerns about the exfiltration of sensitive technologies to foreign entities, emphasizing the importance of safeguarding national security interests in the face of evolving cyber threats.

Why This Matters Now

The indictment of these engineers highlights the ongoing risk of insider threats within the tech industry, emphasizing the need for enhanced security protocols and monitoring to protect sensitive intellectual property from unauthorized access and potential foreign exploitation.

Attack Path Analysis

Former Google engineers exploited their legitimate access to confidential information, escalating their privileges to access sensitive trade secrets. They moved laterally within the organization to gather additional proprietary data, established covert channels for command and control, and exfiltrated the data to unauthorized locations, including Iran. The impact resulted in significant intellectual property theft and potential economic and security implications.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Medium

Command & Control

High

Exfiltration

High

Impact

High

Initial Compromise

Description

The insiders leveraged their authorized access to Google's internal systems to obtain confidential information.

Confidence:

High

MITRE ATT&CK® Techniques

Defense Evasion

T1078

Valid Accounts

Exfiltration

T1537

Transfer Data to Cloud Account

Exfiltration

T1052

Exfiltration Over Physical Medium

Exfiltration

T1020

Automated Exfiltration

Defense Evasion

T1656

Impersonation

Impact

T1657

Financial Theft

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Secure Storage of Cardholder Data

Control ID: 3.2.1

The unauthorized exfiltration of sensitive data indicates a failure to securely store and protect cardholder data, violating PCI DSS requirements.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident reveals deficiencies in the organization's cybersecurity policies and procedures, as required by NYDFS regulations.

DORA – ICT Risk Management Framework

Control ID: Article 5

The breach highlights inadequate ICT risk management practices, contravening DORA's requirements for financial entities.

CISA ZTMM 2.0 – User Access Controls

Control ID: Identity and Access Management

The misuse of valid accounts for unauthorized data access indicates weaknesses in identity and access management controls, as outlined in CISA's Zero Trust Maturity Model.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident demonstrates a lack of effective risk management measures, violating NIS2 Directive requirements for essential and important entities.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Software/Engineering

Insider threats targeting trade secrets pose critical risks to IP protection, requiring enhanced egress security and zero trust segmentation for development environments.

Information Technology/IT

Trade secret theft demonstrates need for multicloud visibility, anomaly detection, and encrypted traffic monitoring to prevent unauthorized data transfers to foreign entities.

Computer/Network Security

Insider threat case highlights vulnerabilities in current security frameworks, emphasizing requirements for threat detection capabilities and east-west traffic security implementations.

Defense/Space

Foreign transfer of sensitive technologies creates national security implications, requiring enhanced data loss prevention and policy enforcement for classified information protection.

Sources

Former Google Engineers Indicted Over Trade Secret Transfers to Iranhttps://thehackernews.com/2026/02/three-former-google-engineers-indicted.html
Verified

Former Google Engineer Found Guilty of Economic Espionage and Theft of Confidential AI Technologyhttps://www.justice.gov/opa/pr/former-google-engineer-found-guilty-economic-espionage-and-theft-confidential-ai-technology

Verified

Three Silicon Valley engineers charged with stealing Google trade secrets for Iranhttps://www.yahoo.com/news/articles/three-silicon-valley-engineers-charged-083500002.html

Verified

Frequently Asked Questions

The defendants allegedly accessed and transferred confidential files related to processor security and cryptography, including information concerning Qualcomm's Snapdragon system-on-chip technology.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the insiders' ability to escalate privileges, move laterally, and exfiltrate sensitive data, thereby reducing the overall impact of the breach.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The insiders' ability to access confidential information would likely have been constrained, reducing the scope of initial data exposure.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The insiders' ability to escalate privileges would likely have been limited, reducing the risk of accessing sensitive trade secrets.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The insiders' ability to move laterally within the network would likely have been restricted, reducing the risk of accessing additional proprietary data.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The insiders' ability to establish covert channels for data transfer would likely have been detected and disrupted, reducing the risk of unauthorized data coordination.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The insiders' ability to exfiltrate data to unauthorized locations would likely have been prevented, reducing the risk of data loss.

Impact (Mitigations)

The overall impact of intellectual property theft would likely have been mitigated, reducing potential economic and security consequences.

Impact at a Glance

Affected Business Functions

Intellectual Property Management
Product Development
Corporate Security

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

Confidential trade secrets related to processor security and cryptography were exfiltrated.

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
• Deploy Egress Security & Policy Enforcement to monitor and control outbound data transfers, mitigating unauthorized exfiltration.
• Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
• Apply Threat Detection & Anomaly Response mechanisms to identify and address insider threats promptly.
• Establish comprehensive identity governance to manage and monitor user access rights effectively.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Google Engineers Indicted for Trade Secret Theft to Iran

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Valid Accounts

Transfer Data to Cloud Account

Exfiltration Over Physical Medium

Automated Exfiltration

Impersonation

Financial Theft

Potential Compliance Exposure

PCI DSS 4.0 – Secure Storage of Cardholder Data

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – User Access Controls

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Computer Software/Engineering

Information Technology/IT

Computer/Network Security

Defense/Space

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads