DOGE’s Disclosure of a Russian Whistler in the House Oversight Committee: “Spikes in the Outbound Traffic Outside the National Guard”, said Berulis

An aide for the Democratic minority on the House Oversight Committee who was not authorized to speak publicly told NPR that the committee is in possession of multiple verifiable reports showing that DOGE has exfiltrated sensitive government data across agencies for unknown purposes, revealing that Berulis’ disclosure is not an isolated incident.

It is the opinion of the Ranking Member that DOGE may have been engaged in technological malfeasance and illegal activity, and that they have written a letter to the Inspector General at the Department of Labor and the National Labor Relations Board.

It is not clear what doge’s intentions are with regard to the NLRB data. Many of the systems that DOGE embedded itself in across the rest of the government have payment or employment data, information that it could use to evaluate which grants and programs to halt and whom to fire.

“We’ve seen Russian threat actors do things like this on U.S. government systems,” said one threat intelligence researcher who requested anonymity because they weren’t authorized to speak publicly by their employer. That analyst, who has extensive experience hunting nation-state-sponsored hackers, reviewed the whistleblower’s technical claims.

There are multiple ongoing cases involving the NLRB and companies controlled by Musk. Lawyers for the company filed suit against the National Labor Relations Board after a group of employees lodged a complaint. They claimed that the agency’s structure is unconstitutional.

Berulis tracked the data leaving the agency’s case management system inside the NLRB system. He saw a big spike in outbound traffic leaving the network. That kind of spike is extremely unusual, he explained in the disclosure, because data almost never directly leaves from the NLRB’s databases.

The inspectors general are asked to answer a number of questions relating to the possible violation of federal law, including any National Guard networks and what records of DOGe’s work within the National Labor Relations Board exist.

First, at least one DOGE account was created and later deleted for use in the NLRB’s cloud systems, hosted by Microsoft: “[email protected].”

In over a dozen lawsuits in federal courts around the United States, judges have demanded that DOGE explain why it needs such expansive access to sensitive data on Americans, from Social Security records to private medical records and tax information. Although the Trump administration has been able to give answers, they have largely dismissed privacy concerns.

Berulis: a cybersecurity consultant to protect workers’ rights in the NLRB after a whistleblower’s disclosure details how DOGE may have taken sensitive labor data

In the first days of March, a team of advisers from President Trump’s new Department of Government Efficiency initiative arrived at the Southeast Washington, D.C., headquarters of the National Labor Relations Board.

The small, independent federal agency investigates and adjudicates complaints about unfair labor practices. There are reams of potentially sensitive data in it, from confidential information about employees who want to form unions to proprietary business information.

According to the records of internal communications, the DOGE team asked that their activities not be recorded on the system, and then turned off the monitoring tools in order to avoid detection, which resulted in evasive behavior.

It’s a familiar story for tech nerds the world over: He methodically took the machine apart “to figure out how it works,” just like he had dissected radios from the thrift store years earlier. He said he killed himself once.

A knee injury prevented him from joining the military. A volunteer firefighter for a time, he also answered calls from rape crisis hotlines in need of someone to listen. But, he told NPR, “I had an interest in serving my country.”

When a job was opened at the National Labor Relations Board, Berulis, a technical consultant for many years, was the first one to apply.

Berulis wanted to help people and he found the agency’s goal to protect employees’ rights in line with that.

He started about six months before President Trump was inaugurated for his second term this past January. Berulis said he hit the ground running, securing the NLRB’s cloud-based data servers and reinforcing what’s called “zero trust” principles, which means that users can get access only to the parts of the system they need in order to do their jobs — no more, no less. If the attacker has a single usernames and passwords, they can’t access the entire system.

“When I first started, it was a dream come true,” he said. “I had the opportunity to build up and do some good.” But after the inauguration, he described a “culture of fear” descending over the agency.

Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data

Forensic Analysis of an Unrestricted User’s Access Account in a DOGE Cybersecurity Auditing Facility and its Contribution to NxGenBdoorExtract

A group of people saw a black SUV and police escort enter the garage as security let the DOGE staffers in. They never introduced themselves to the IT team while interacting with a small number of staffers.

Berulis says he was told by colleagues that DOGE employees demanded the highest level of access, what are called “tenant owner level” accounts inside the independent agency’s computer systems. Berulis gave a disclosure to congress about those that allowed unrestricted permission to read, copy and alter data.

The National Institute of Standards and Technology, as well as the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the FBI, have recommended best practices that are contrary to those of a failure to log activity.

Digital forensic records are important for record-keeping, but they can also be used to investigate potential attacks and help experts figure out whether a vulnerability is actually the one that allowed attackers to get inside a network. The records can also help experts see what data might have been removed. Basic logs will likely not be sufficient to demonstrate the scale of a bad actor’s activities. The experts said there was no reason for any legitimate user to turn off their security tools.

Braun said any chief information security officer worth his salt would look at the network activity and assume it was a nation-state attack from China or Russia.

In order to help others understand what he is doing with the coding projects that he is currently working on, Jordan was sharing information about his work with the public.

After Roger Sollenberger posted on X about the account, Berulis discovered that it was a repository of a project called NxGenBdoorExtract.

NxGen: A Portal for Unrelated Labor Practices in the United States and Beyond, and What Happened to Berulis?

“So when I saw this tool, I immediately panicked, just for lack of a better term,” he said. “I kind of had a conniption and said, ‘Whoa, whoa, whoa.’” His entire team was immediately notified by him.

One of the engineers who created NxGen and asked for anonymity, said that it definitely seemed odd to call it that. “Or brazen, if you’re not worried about consequences.”

Access to the NxGen data would make it easier for companies to fire employees for union organizing or keep blacklists of organizers — illegal activities under federal labor laws enforced by the NLRB. But “people get fired in this country all the time for the lawful act of trying to organize a union,” said Block.

“None of that confidential and deliberative information should ever leave the agency,” said Richard Griffin, who was the NLRB general counsel from 2013 to 2017, in an interview with NPR.

He was able to assemble puzzle pieces he could use to look into what happened because he included details in his official disclosure.

Then, DOGE engineers installed what’s called a “container,” a kind of opaque virtual computer that can run programs on a machine without revealing its activities to the rest of the network. On its own, that wouldn’t be suspicious, though it did allow the engineers to work invisibly and left no trace of its activities once it was removed.

While investigating the data taken from the agency, Berulis tried to determine its ultimate destination. But whoever had exfiltrated it had disguised its destination too, according to the disclosure.

A whistleblower’s disclosure details how DOGE may have taken sensitive labor data: An investigation at the Regional Offices of the National Labor Law Review

The atmosphere at work at the regional offices is chaotic according to the employees who shared the email. “There is panic among the employees,” said one of the employees. The office was in turmoil since the email was sent.

The labor law experts who worked with or at the NLRB told NPR that when external parties like lawyers or the inspector general are granted guest accounts on the system, they only view files relevant to their case or investigation.

The disclosure indicates that they were able to start a formal investigation and prepare a request for assistance from the CSA. However, those efforts were disrupted without an explanation, Berulis said. Berulis felt he needed help getting to the bottom of what happened and figuring out what new vulnerabilities might be found as a result.

The targeted, physical intimidation and surveillance of my client is if the underlying disclosure wasn’t concerning enough. If this happens to Mr Berulis, it’s likely that others will as well and that our nation will fall in line with authoritarian regimes than with free and open democracies. It is time for Congress to acknowledge the facts in order to stop our liberties from slipping away, something that will take generations to repair.

In fact, despite all that, Berulis managed to uncover some stranger and more troubling details about what happened while DOGE was logged on, which he enumerated in his official declaration.

Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data

Source: How Do People Identify a Data-Hiding Attack in Domain Name Systems? The Case of the DOGE Engineer Berulis

Unknown users gave themselves a high-level access key which allowed them to access storage accounts before they were deleted. Berulis said they had no way of knowing what they did with it.

Berulis said he noticed five PowerShell downloads on the system, a task automation program that would allow engineers to run automated commands. He was interested in the code libraries that appeared to have tools that would automate and hide data exfiltration. There was a tool to generate a seemingly endless number of IP addresses called “requests-ip-rotator,” and a commonly used automation tool for web developers called “browserless” — both repositories starred or favorited by Wick, the DOGE engineer, according to an archive of his GitHub account reviewed by NPR.

Berulis says someone might be trying to prevent the data exfiltration from being detected. The conclusion was reached after he saw a spike in traffic in the domain name system as the data was being exfiltrated, compared to the normal number of requests.

When someone uses this kind of technique, they set up a domain name that pings the target system with questions or queries. The compromised server is configured so that it responds to the queries by sending packets of data, which allows the attacker to steal the information that has been broken down.

Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data

The FBI and The State of the Art: Investigating the NLRB Forensics and Associated Evidence of Berulis’ Crime

“The difference is, they were given the keys to the front door,” the researcher continued. While the researcher clarified that it would be difficult to fully verify what happened without full access to the NLRB system, they said Berulis’ conclusions and accompanying evidence were a cause for concern. “None of this is standard,” they said.

Russ Handorf served in the FBI for ten years and spoke to NPR about his conclusions after reviewing Berulis’ technical forensic records.

“All of this is troubling,” he said. “If this was a publicly traded company, I would have to report this [breach] to the Securities and Exchange Commission. The timeline shows a lack of respect for the institution and the data that was exfiltrated. There is no reason to increase the security risk profile by disabling security controls and exposing them, less guarded, to the internet. They did not copy the data to local media for escort in the way that a more prudent standard practice of copying the data should have done.

There are problems in the government that warrant further review, but according to experts, there is no reason that the case management system data should be removed.

“There is no reason whatsoever for accessing the information. Now, could any agency be more efficient? Is it more effective? Positively. But what you need for that is people who understand what the agency does. “That is not done with mining data, putting software in and causing a security issue,” said Harley Shaiken of the University of California, Berkeley.

“There is nothing that I can see about the manner in which the audit is conducted that will follow any of the procedures that have been used in the past and that will produce results that serve the 888-739-5110 888-739-5110 888-739-5110 888-739-5110 888-739-5110 888-739-5110 888-739-5110 888-739-5110 888-739-5110 888-739-5110 888-739-5110 888-739-5110 888-739-5110 888-739-5110 888-739-5110 888-739-5110 888-739-5110 888-739-5110 888-739-5110

The government is not about finding more efficient ways to operate, but rather the mismatch between what they’re doing and an established professional way to do it.

Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data

Accessing Trade Secrets in Labor Laws: A Problem for Labor Law Experts and Analyses of the NLRB’s Investigation

It’s a danger to labor law experts that the possibility of sensitive records being copied is so serious that it could cause employees to not call the National Labor Relations Board for protection.

“Just saying that they have access to the data is intimidating,” said Kate Bronfenbrenner, the director of labor education research at Cornell University and co-director of the Worker Empowerment Research Network. “Many people will refuse to testify before the board because they are afraid their employer will get access.”

The child of parents who fled the Soviet Union and Nazis spends a lot of time thinking about what can happen when things go wrong. “You know, there’s this belief that we have these checks and balances … but anyone who’s part of the labor movement should know that’s not true,” she told NPR.

With access to the data, it would make it easier for companies to fire employees for union organizing or keep blacklists of organizers — illegal activities under federal labor laws enforced by the NLRB. People getting fired for attempting to organize a union all the time in this country, said Block.

The data might hurt other people if it gets out. The company may give a detailed statement on its internal business planning during the unfair-labor-practice complaint proceedings. Those trade secrets could be an issue in the board’s investigation if the company was trying to fire someone who had disclosed them and was fighting the unfair labor practice complaint. That information is very useful for competitors, regulators and others.

“I think it’s very worrying,” said Shaiken. “It could result in damage to individual workers, to union-organizing campaigns and to unions themselves,” he said.

Trump and the Labor Board: What DOGE can do to protect our freedom from lawsuits against our companies,” a Fox News interview with Musk, Murphy, and Murphy

Trump and Musk, during an interview with Fox News’s Sean Hannity, said Musk would recuse himself from anything involving his companies. Musk said that he had never asked the president for anything. “I’m getting a sort of a daily proctology exam here. I will not be getting away with something in the dead of night. There is no evidence that a firewall has been put in place to prevent the misuse of the data that Doge has access to.

During the confirmation hearing for the labor secretary in February, Senator Chris Murphy raised his concerns over Musk’s access to sensitive labor investigation data about cases against his companies. He pressed her to answer whether she believed the NLRB is constitutional and to commit to keeping sensitive data confidential. While she said she was committed to “privacy” and said she respects the NLRB’s “authority,” she insisted that Trump “has the executive power to exercise it as he sees fit.”

Shaiken said that the NLRB was created to guarantee workers rights to organize and to address workplace problems. He said that the labor movement received an unusual amount of support from Washington. “But what we have seen is a sharp slamming of the brakes to that and putting the vehicle in reverse in terms of what Trump has done so far,” he continued.

In addition to sending DOGE to the NLRB, the Trump administration tried to neutralize the board’s power to enforce labor law by removing its member Gwynne Wilcox. Courts have gone back and forth on whether Wilcox’s removal was illegal, as presidents are meant to demonstrate cause for dismissal of independent board members.

Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data

How Russian emails expose criminal and intellectual property crimes: Harvard Law’s Block, xAI, DOGE, and the Founders of Technology Transformation Services

“It’s not that he’s a random person who’s getting information that a random person shouldn’t have access to,” said Harvard Law’s Block. If the government did get everything, he would have information about the cases it was building against him.

“DOGE is headed by someone who is the subject of active investigation and prosecution for cases, no matter what they admit or not.” It is incredibly troubling,” she said.

Musk’s company xAI could also benefit from sucking up all the data DOGE has collected to train its algorithms. Cybersecurity experts like Bruce Schneier, a well-known cryptographer and adjunct lecturer at the Harvard Kennedy School, have pointed to this concern at length in interviews and written pieces.

According to two federal government sources who were not authorized to speak publicly about their workplaces and who shared email documentation with NPR, managers have consistently been warning employees that their data could be subject to AI review, particularly their email responses to the Musk-led campaign to get federal employees to detail “what they did last week” in five bullet points every Monday.

“It’s not a flight of imagination to see several DOGE staffers release some of that [data] surreptitiously to Musk or people close to him,” said Shaiken.

“Both criminals and foreign adversaries traditionally have used information like this to enrich themselves through a variety of actions,” explained Handorf, the former FBI cyber official. “That includes blackmail, targeting and prioritizing intellectual property theft for espionage or even harming a company to enrich another.”

The experts interviewed by the NPR said that the failed login attempts from a Russian address were not a smoking gun. But given the overall picture of activity, it’s a concerning sign that foreign adversaries may already be searching for ways into government systems that DOGE engineers may have left exposed.

“When you move fast and break stuff, the opportunity to ride the coattails of authorized access is ridiculously easy to achieve,” said Handorf. It would be easy for spies or criminals to steal data if access points to the network were left open.

The principle of least privilege is one of the reasons systems are usually architected with this in mind, according to Ann Lewis, the former director of Technology Transformation Services. “The principle of least privilege is a fundamental cybersecurity concept … that states that users should have only the minimum rights, roles and permissions required to perform their roles and responsibilities. This helps protect access to high value data and critical assets from misuse, accidental damage, and malicious actions.

What DOGE Engineers Done to Obfuscate the National Labor Relations Board’s Cyber Security and Infrastructure Security: Why DOGE was Shut Down, or Why Do They Put It on the Floor?

The Cybersecurity and Infrastructure Security Agency in the Interior Department is one of the agencies that has been forced to relocate or put on administrative leave. That has limited their power to respond to the ongoing disruptions or keep track of what DOGE is doing.

When she heard about how DOGE engineers operated at the NLRB, particularly the steps they took to obfuscate their activities, she recognized a pattern.

When she heard that data from the National Labor Relations Board may be exposed, she was trembling. “They can get every piece of whistleblower testimony, every report, everything. This is not good.”

One employee at an agency of the Interior Department who asked not to be named said that the cyber teams were annoyed because they had to ” sit on their hands” when every alarm system regarding insider threats went off. Cybersecurity teams wanted to shut off new users’ access to the system, the employee continued, but were ordered to stand down.

Meanwhile, in a letter published on March 13 on Federal News Network, 46 former senior officials from the General Services Administration, one of the government agencies hardest hit by DOGE’s cost-cutting efforts and that oversees nearly all federal buildings and purchasing, wrote that they believed “highly-sensitive IT systems are being put at risk and sensitive information is being downloaded to unknown, unvetted external sources in clear violation of privacy and data-protection rules.”

The reason for a Privacy Act is that the federal government needed some restrictions on what it could and couldn’t do, because it was so full of information about normal people. “The information silos are there for a reason,” he continued. “It’s astonishing to me that the very people who not a handful of years ago were screaming about the government tracking us with vaccines now cheer for feeding every piece of information about themselves into Elon Musk’s stupid Skynet.”

For Berulis, it was important to speak out, because he believes people deserve to know how the government’s data and computer systems are at risk, and to prevent further damage. As a former IT consultant, Berulis says he would have been fired for operating like DOGE.

“I believe this goes beyond just case data,” he said. I am aware of people who have seen similar behavior at other agencies. I firmly believe that this is happening maybe even to a greater extent at other agencies.”

“It was my goal by disclosing to Congress not to focus on me at all, but to give them information that they might not necessarily have, the things that you don’t necessarily look for unless you know where to look,” he continued.

A Reply to Berulis’ Request for Integrating the DOGE Information System with the FBI and the First Investigation of Wrong Doomsday

Berulis had a simple request for the DOGE engineers: “Be transparent. Don’t be secret, if you don’t have anything to hide, don’t destroy logs. Be open, because that’s what efficiency is really about. If this is all a huge misunderstanding, then just prove it. Put it out in the open. That’s all I’m asking.”

“This could just be the start of the operation. … He said they are plugged into every federal system, but still haven’t crossed that boundary. “So maybe there is still time.”

According to the disclosure, someone had disabled controls that would prevent insecure or unauthorized mobile devices from logging on to the system without the proper security settings. There was an interface exposed to the public internet, potentially allowing malicious actors access to their systems. Internal alerting and monitoring systems were turned off manually. The multifactor verification was disabled.

She said that a list of key organizers and potential members of the union would make it easier to organize.

The ad hoc Department of Government Efficiency team is assigning two staffers to work at the independent agency where a whistleblower alleged Tuesday DOGE may have already removed sensitive labor data from its systems.

The email that was sent to the staff on behalf of the chairman and acting general counsel was shared with NPR by two employees at regional offices who are not authorized to speak publicly.

The representatives requested information about agency operations but asked us to remove personally identifiable information from the documents we provide, the email states. The agency will comply with the requests of the DOGE under applicable laws.