Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Conversation

Notices

Embed this notice
BrianKrebs (briankrebs@infosec.exchange)'s status on Tuesday, 22-Apr-2025 23:36:54 JST BrianKrebs

I published a follow-up on NPR's scoop last week about a whistleblower at the National Labor Relations Board (NLRB), who alleges DOGE created super admin accounts (w/ no logging) at NLRB and transferred ~10GB worth of data from the agency's case files.
The story includes an interview with the whistleblower -- NLRB security architect Daniel Berulis -- and examines the technical claims in his report to lawmakers. He's taking some paid leave for now, noting that the same day the NPR story ran, the NLRB removed administrative rights for its IT staff and almost everyone else at the agency.
The backstory is that both Amazon and Musk’s SpaceX have been suing the NLRB over complaints the agency filed in disputes about workers’ rights and union organizing, arguing that the NLRB’s very existence is unconstitutional. On March 5, a U.S. appeals court unanimously rejected Musk’s claim that the NLRB’s structure somehow violates the Constitution.
Here's the lede:
"A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk‘s Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity. The NLRB whistleblower said the unusual large data outflows coincided with multiple blocked login attempts from an Internet address in Russia that tried to use valid credentials for a newly-created DOGE user account."
https://krebsonsecurity.com/2025/04/whistleblower-doge-siphoned-nlrb-case-data/
In conversation about a month ago from infosec.exchange permalink
Attachments
1. — PROTECTED WHISTLEBLOWER DISCLOSURE — April 14, 2025 VIA EMAIL The Honorable Tom Cotton Chairman, Senate Select Committee on Intelligence The Honorable Mark Warner Vice Chairman, Senate Select Comittee on Intelligence United States Senate Washington, DC 20510 USS. Office of Special Counsel 1730 M Street, NW Washington, DC 20036 RE: Disclosure of Cyber Security Breach and Data Exfiltration through DOGE Systems and Whistleblower/Witness Intimidation Dear Chairman Cotton, Vice Chairman Warner, and Special Counsel: Whistleblower Aid and Compass Rose Legal Group, PLLC jointly represent Daniel J. Berulis, a federal employee with the National Labor Relations Board ("NLRB"). Mr. Berulis is an experienced DevSecOps Architect, spanning almost two decades of experience guiding enterprise-scale digital transformations, enacting best practices at scale, championing cybersecurity awareness, and enabling business objectives. Prior to serving at NLRB, he served in positions supporting our national security, holding a Top Secret security clearance with eligibility for access to Sensitive Compartmented Information, commonly referred to as TS/SCI. Mr. Berulis is coming forward today because of his concem that recent activity by members of the Department of Government Efficiency (‘DOGE") have resulted in a significant cybersecurity breach
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/381/928/080/873/942/original/cf6f09dace89d682.png
2. Domain not in remote thumbnail source whitelist: krebsonsecurity.com
  
  Whistleblower: DOGE Siphoned NLRB Case Data
  
  A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk's Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few…
- Steve's Place repeated this.
- Embed this notice
  BrianKrebs (briankrebs@infosec.exchange)'s status on Wednesday, 23-Apr-2025 15:54:11 JST BrianKrebs
  in reply to
  
  Okay this is really interesting. The NLRB whistleblower Daniel Berulis told me that he found the DOGE accounts had downloaded three different code libraries from GitHub that none of their IT people or contractors used or knew about. One of them, Berulis said, had in its "README" file a description that said the software was designed as "a proxy to generate pseudo-infinite IPs for web scraping and brute forcing."
  One of the core DOGE employees is Marko Elez, and Elez's GitHub page has a very interesting code repository: async-ip-rotator, created in January 2025
  https://github.com/markoelez/async-ip-rotator
  Checking the history of this code, Elez's profile says it was forked from this
  https://github.com/Ge0rg3/requests-ip-rotator, which says in its description:
  "A Python library to utilize AWS API Gateway's large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing."
  "This library will allow the user to bypass IP-based rate-limits for sites and services."
  Gee, I wonder which DOGE employee was in the NLRB in early March?
  
  In conversation about a month ago permalink

Feeds