adimage
adimage
Home / Trump / DOGE At NLRB

DOGE At NLRB

By
/
On April 20, 2025
/
At 5:43 pm
/
In Trump
758 Views
Credit: Pixabay

I continue to wonder why Musk’s goons don’t get bodily removed from more offices. By now, Trumpies are in charge of enough agencies that they can order that computer access be turned over to the invaders, and, as in the takeover of the US Institute of Peace, armed guards play a part. We need to hear more about how the takeovers happen.

A whistleblower, Daniel Berulis, has provided information on what happened after the goons took over the computers at the National Labor Relations Board. When Berulis tried to raise concerns internally, someone physically taped a threatening note to his door that included sensitive personal information and overhead photos of him walking his dog that appeared to be taken with a drone.

His disclosure to Congress and other federal overseers includes forensic data and records of conversations with colleagues that provide evidence of DOGE’s access and activities. NPR wrote a long article summarizing the disclosure.

Matt Johanson nicely summarized the disclosure on Bluesky.

🧵 THREAD: A federal whistleblower just dropped one of the most disturbing cybersecurity disclosures I’ve ever read.He's saying DOGE came in, data went out, and Russians started attempting logins with new valid DOGE passwordsMedia's coverage wasn't detailed enough so I dug into his testimony:— Matt Johansen (@mattjay.com) 2025-04-18T00:10:37.000Z

Who’s the whistleblower?Daniel Berulis — a senior DevSecOps architect at the National Labor Relations Board (NLRB), formerly with TS/SCI clearance.He just told Congress the Department of Government Efficiency (DOGE) pulled off a covert cyber op inside a federal agency.— Matt Johansen (@mattjay.com) 2025-04-18T00:10:47.000Z

DOGE demanded root access.Not auditor access. Not admin.They were given “tenant owner” privileges in Azure — full control over the NLRB’s cloud, above the CIO himself.This is never supposed to happen.— Matt Johansen (@mattjay.com) 2025-04-18T00:11:11.000Z

They disabled the logs.Berulis says DOGE demanded account creation with no recordkeeping.They even ordered security controls bypassed and disabled tools like network watcher so their actions wouldn’t be logged.— Matt Johansen (@mattjay.com) 2025-04-18T00:11:27.000Z

And then the data started flowing out.10+ GB spike in outbound trafficExfiltration from NxGen, the NLRB's legal case databaseNo corresponding inbound trafficUnusual ephemeral containers and expired storage tokens— Matt Johansen (@mattjay.com) 2025-04-18T00:11:45.000Z

They used an external library that used AWS IP pools to rotate IPs for scraping and brute force attacks.They downloaded external GitHub tools like requests-ip-rotator and browserless — neither of which the agency uses.— Matt Johansen (@mattjay.com) 2025-04-18T00:12:00.000Z

The most daming claim in this statement IMO:Within 15 minutes of DOGE accounts being created…Attackers in Russia tried logging in using those new creds.Correct usernames and passwords.2 options here. The DOGE device was hacked. And I don't think I need to explain the 2nd.— Matt Johansen (@mattjay.com) 2025-04-18T00:12:18.000Z

Multi-factor authentication? Disabled.Someone downgraded Azure conditional access rules — MFA was off for mobile.This was not approved and not logged.— Matt Johansen (@mattjay.com) 2025-04-18T00:12:24.000Z

Cost spikes without new resources.Azure billing jumped 8% — likely from short-lived high-cost compute used for data extraction, then deleted.— Matt Johansen (@mattjay.com) 2025-04-18T00:12:32.000Z

US-CERT was about to be called in.CISA’s cyber response team.But senior officials told them to stand down — no report, no investigation.— Matt Johansen (@mattjay.com) 2025-04-18T00:12:49.000Z

Highlights (or lowlights):

  • DOGE were given “tenant owner” privileges, which allowed them full control over NLRB’s cloud.
  • They disabled logging tools so that their actions wouldn’t be logged.
  • 10+ GB spike in outbound data.
  • Within 15 minutes of DOGE accounts being created, attackers in Russia tried logging in using those new creds. Correct usernames and passwords.

The DOGE teams seem to use their “official” status to gain access to computers, but disabling logging tools suggests that they are not working for the federal government. If they were, logging would be part of the job. It’s been clear for some time that DOGE is taking a lot of sensitive data (our formerly private and personal data) for themselves. The Russian attack is a bit of a surprise; they also disabled some of the safeguards like two-factor login, so it could have been part of the continuing Russian attacks to hack government data. I will leave you to imagine other possibilities.

Cross-posted to Nuclear Diner

  • Facebook
  • Twitter
  • Linkedin
This div height required for enabling the sticky sidebar
Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views :