https://www.cnbc.com/2026/02/20/three-engineers-charged-stealing-google-trade-secrets-data-iran-soc-snapdragon.html
Three engineers (Samaneh Ghandali, her sister Soroor, and Samaneh’s husband Mohammadjavad Khosravi — two Iranian nationals, one with prior Iranian army service) allegedly:
- Stole hundreds of files on processor security, cryptography, and Snapdragon SoC hardware architecture from Google and a major chip company.
- Bypassed digital controls by photographing screens on work devices.
- Exfiltrated the data via personal devices and third-party messaging channels (named after themselves) ultimately to Iran.
- Continued even after Google flagged suspicious activity and revoked access.
This is a textbook nation-state-linked insider threat involving motivated insiders with foreign ties, deliberate evasion tactics, and exfiltration of high-value IP.
How TMPC INC’s Insider Threat + User Activity Monitoring (UAM) program prevents this
TMPC INC is a U.S. government-focused firm (SDVOSB / 8(a)) that specializes in building full-spectrum insider threat programs for defense, intelligence, and critical-infrastructure organizations. Their core framework is CONTROL → MONITOR → RESPOND, built on a Zero Trust foundation and 12+ years of experience.
Here’s exactly how their capabilities map to stopping the Google/Snapdragon case:
Phase | TMPC Capability | How it stops this specific attack |
CONTROL (Deterrence) | Policy & awareness programs, least-privilege access, clear rules on personal devices / photography / foreign travel | Employees with Iranian family ties or recent Iran travel get elevated scrutiny. Explicit bans on photographing screens + mandatory training on espionage indicators deter the “I’ll just take photos” tactic. |
MONITOR (Detection) | Continuous User Activity Monitoring (UAM) across endpoints, file access, app usage, USB/personal device connections, and behavioral analytics | Flags: bulk access to crypto/processor files with no business need, screen-photography patterns (via endpoint sensors or anomalous “view-only” sessions), transfers to personal laptops or Telegram-like apps, post-incident Google searches on “how to delete messages” or “carrier log retention.” |
RESPOND (Disruption) | Rapid-response playbook, automated account lock, multidisciplinary team (Security + CI + HR + Legal) | As soon as an anomaly hits (e.g., unusual after-hours access by someone with foreign connections), TMPC’s system triggers immediate investigation and revocation — before the data ever leaves the building or reaches Iran. Google caught it late; TMPC aims to catch it early. |
Key advantages TMPC brings that most companies miss:
- Multidisciplinary insider threat team — They integrate Counterintelligence (CI), behavioral science, HR, and cybersecurity so the husband’s Iranian army background + the family’s Iran trip would have been visible as a risk indicator long before theft started.
- Focus on foreign-agent infiltration — Their materials specifically call out preventing “covert foreign agent” scenarios like this one.
- Zero Trust + UAM baked in — They don’t just monitor; they assume every user could be a threat and continuously validate behavior.
- Vendor/Contractor extension — If any of the engineers moved between Google and the Snapdragon company, TMPC’s vendor-threat module would have visibility across the supply chain.
Practical implementation steps you could take right now with TMPC
- Gap assessment — TMPC does a quick insider-threat maturity review (they’ve done this for USSOCOM and other federal clients).
- Deploy UAM layer — On top of whatever you already have (Google’s monitoring caught the activity but too late).
- Add behavioral + CI triggers — Automatic flagging for travel to Iran/China/Russia, family foreign-national ties, unexplained wealth, etc.
- 24/7 monitoring & response — Their team or your SOC can use their playbook to shut down exfil attempts in minutes.
- Ongoing training & deterrence — Regular simulations of “photograph-and-exfil” scenarios so employees know it’s not worth it.
In short: Google detected the theft after it happened. TMPC’s program is built to detect and stop it while the first file is still being copied.
If your organization (or a client) handles sensitive IP, especially anything defense/tech-related with foreign-national employees, TMPC’s exact offering is one of the strongest commercial/government solutions available for this exact threat vector.