Berulis’ disclosure to the NLRB’s cloud has been exposed to malicious attackers: A case study in Musk’s companies
An aide for the Democratic minority on the House Oversight Committee who was not authorized to speak publicly told NPR that the committee is in possession of multiple verifiable reports showing that DOGE has exfiltrated sensitive government data across agencies for unknown purposes, revealing that Berulis’ disclosure is not an isolated incident.
The Inspector General of the Department of Labor and the inspector general of the National Labor Relations Board were given a letter by Ranking Member Connolly expressing concern that the doge may be engaged in technological malfeasance.
If the data isn’t properly protected after it leaves the agency or if DOGE left a digital door open to the agency itself, data could also be exposed to potential sale or theft by criminals or foreign adversaries. An attacker could also try to take advantage of the connections between the NLRB’s cloud account and other government cloud environments, using their access to the NLRB as a foothold to move to other networks.
“I can’t attest to what their end goal was or what they’re doing with the data,” the whistleblower, Daniel Berulis, said in an interview with NPR. “But I can tell you that the bits of the puzzle that I can quantify are scary. … We’re looking at a very bad picture.
There are many ongoing cases involving Musk’s companies. After a group of former employees lodged a complaint against the company, some of whom were just hired into a government job, lawyers for the company filed a suit against the National Labor Relations Board. They argued that the agency’s structure is unconstitutional.
Someone had disabled controls that would prevent insecure or unauthorized mobile devices from logging on to the system without the proper security settings. There was an interface exposed to the public internet, potentially allowing malicious actors access to the NLRB’s systems. The internal alerting and monitoring systems were manually turned off. Multifactor authentication was disabled. Berulis noticed that an unknown user had exported a file containing contact information for outside lawyers who worked with the National Labor Relations Board.
The letter asks the inspectors general to answer a number of questions regarding ways DOGE may have potentially violated federal law, including any NLRB networks DOGE staffers had access to and what records of DOGE’s work within NLRB systems exist.
A person with an Internet Protocol address located in Russia started attempting to log into the system within minutes after DOGE accessed it. The attempts were “near real-time,” according to the disclosure. Those attempts were blocked, but they were especially alarming. Whoever was attempting to log in was using one of the newly created DOGE accounts — and the person had the correct username and password, according to Berulis. While it’s possible the user was disguising their location, it’s highly unlikely they’d appear to be coming from Russia if they wanted to avoid suspicion, cybersecurity experts interviewed by NPR explained.
Trump’s executive order urging increased data sharing by eliminating information silos was an attempt to give the DOGE engineers more of a protection plan when it came to accessing and merging federal data.
In the first week of March, a group of people from President Trump’s Department of Government Efficiency arrived at the National Labor Relations Board headquarters.
The small, independent federal agency investigates and adjudicates complaints about unfair labor practices. It stores reams of potentially sensitive data, from confidential information about employees who want to form unions to proprietary business information.
How DOGE Suppressed Employee Hacking: A Tale of Two Technniaks and a “Circle of Fear”
Meanwhile, according to the disclosure and records of internal communications, members of the DOGE team asked that their activities not be logged on the system and then appeared to try to cover their tracks behind them, turning off monitoring tools and manually deleting records of their access — evasive behavior that several cybersecurity experts interviewed by NPR compared to what criminal or state-sponsored hackers might do.
It is a familiar tale for tech nerds everywhere, as he meticulously takes the machine apart to figure out how it works. He said that he cut himself once.
A knee injury prevented him from joining the military. He served as a volunteer firefighter for a period and donated his time working for a local rape crisis hotline, answering calls from victims in need of someone to listen. He told NPR he had an interest in serving his country.
Berulis had been a technical consultant for many years, including in auditing and modernizing corporate systems, when a job opened up at the National Labor Relations Board.
While he didn’t know much about the agency, Berulis quickly found its mission to protect employees’ rights in line with his long-standing desire “to help people.”
He started about six months before President Trump was inaugurated for a second term. Berulis stated that he secured the NLRB’s cloud-based data server and reinforced what’s called “zero trust” principles so that users can’t get access to parts of the system they need in order to do their jobs. That way, if an attacker gets hold of a single username and password, the attacker can’t access the whole system.
He said it was a dream come true when he first started. There was a good chance to do some good. After the inauguration, he said there was a “culture of fear” at the agency.
Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data
Forensic Logs: If You Can’t Delete It, Then Someone Will Attempt to Identify the Cybersecurity Threats Against You
Berulis said he and several colleagues saw a black SUV and police escort enter the garage, after which building security let the DOGE staffers in. They never came up to most of the IT team while interacting with a small number of staffers.
Berulis said that he was told that the DOGE employees wanted the highest level of access to their accounts in the agency’s computer systems. Those offer essentially unrestricted permission to read, copy and alter data, according to Berulis’ disclosure to Congress.
For cybersecurity professionals, a failure to log activity is a cardinal sin and contradicts best practices as recommended by the National Institute of Standards and Technology and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, as well as the FBI and the National Security Agency.
Those forensic digital records are important for record-keeping requirements and they allow for troubleshooting, but they also allow experts to investigate potential breaches, sometimes even tracing the attacker’s path back to the vulnerability that let them inside a network. The records can also help experts see what data might have been removed. Basic logs would likely not be enough to demonstrate the extent of a bad actor’s activities, but it would be a start. cybersecurity experts say there is no reason for users to turn off security tools.
“If he didn’t know the backstory, any [chief information security officer] worth his salt would look at network activity like this and assume it’s a nation-state attack from China or Russia,” said Jake Braun, a former White House cyber official.
Massachusetts Institute of Technology graduate and DOGE engineer Jordan Wick had been sharing information about coding projects he was working on to his public account with GitHub, a website that allows developers to create, store and collaborate on code.
Berulis noticed something was going on after journalist Roger Sollenberger started posting about it on X.
The Case Management System of the National Labor Relations Board (NLRB). An Investigation by a General Counsel, Richard Berulis, and an Interrogator with the NLRB
He said that when he saw the tool, he immediately panicked. “I kind of thought about that and said, ‘Whoa, whoa’.” He immediately alerted his whole team.
One of the engineers who worked on NxGen asked for anonymity so as not to jeopardize their ability to work with the government again. You should be bold if you aren’t worried about consequences.
NxGen is an internal system that was designed specifically for the NLRB in-house, according to several of the engineers who created the tool and who all spoke to NPR on condition of anonymity to avoid retaliation or adverse consequences for any future government work.
Richard Griffin was the general counsel of the National Labor Relations Board from July to April of last year.
He counted on the fact that DOGE had left a few trace of its activities behind, and that he could assemble puzzle pieces to try and figure out what happened.
A kind of virtual computer called a “container” was installed by DOGE engineers to allow it to be used on a single machine without revealing anything to the entire network. The engineers were allowed to work without being detected, though it left no trace of its activities once it was removed.
Then, Berulis started tracking sensitive data leaving the places it’s meant to live, according to his official disclosure. First, he saw a chunk of data exiting the NxGen case management system’s “nucleus,” inside the NLRB system, Berulis explained. Then, he saw a large spike in outbound traffic leaving the network itself.
Berulis explained that the spike is very unusual because data almost never leaves from the NLRB’s databases. There’s only one noticeable spike of data exiting the system that Berulis shared with the public. He also confirmed that no one at the NLRB had been saving backup files that week or migrating data for any projects.
When external parties, such as the inspector general are granted an account on the system, they only see the files that are relevant to their case or investigation, according to labor law experts speaking with NPR.
Comments on the DOGE Cybersecurity Defender’s Detection – A Symmetry Breakdown in the Environment of a Data Exfiltration Attack
They prepared a request for help from the Cybersecurity and Infrastructure Security Agency and launched a formal breach investigation, according to the disclosure. However, those efforts were disrupted without an explanation, Berulis said. Berulis felt that he needed help getting to the bottom of what had happened, and determining what new vulnerabilities might be exploited.
“If the underlying disclosure wasn’t concerning enough, the targeted, physical intimidation and surveillance of my client is. If Mr. Berulis is going through this, it is going to make our nation more authoritarian than it already is, according to the statement from his attorney. “It is time for everyone – and Congress in particular – to acknowledge the facts and stop our democracy, freedom, and liberties from slipping away, something that will take generations to repair.”
Berulis was able to find some troubling and strange details about what transpired while DOGE was logging on, which he enumerated in his declaration.
Unknown users also gave themselves a high-level access key, what’s called a SAS token, meaning “shared access signature,” to access storage accounts, before deleting it. Berulis said there was no way to track what they did with it.
Berulis said he noticed five PowerShell downloads on the system, a task automation program that would allow engineers to run automated commands. There were a lot of code libraries that he found interesting, he said they appeared to have been designed to mask data exfiltration. The DOGE engineer, which was named Wick, starred or favorites both of the “requests-ip-rotator” and “browserless” tools that generated an endless number of internet addresses.
Berulis said someone appeared to be trying to prevent the data exfiltration from being detected. He came to that conclusion, outlined in his disclosure, after he saw a traffic spike in DNS requests parallel to the data being exfiltrated, a spike 1,000 times the normal number of requests.
When someone uses this kind of method, they establish a domain name that is used for questions or queries. But they configure the compromised server so that it answers those DNS queries by sending out packets of data, allowing the attacker to steal information that has been broken down into smaller chunks.
Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data
Investigating the FBI and DOGE about Berulis’ NLRB-Elon-Musk-Spacex-Security Action
“The difference is, they were given the keys to the front door,” the researcher continued. While the researcher clarified that it would be difficult to fully verify what happened without full access to the NLRB system, they said Berulis’ conclusions and accompanying evidence were a cause for concern. They said that this isn’t standard.
Russ Handorf, who served in the FBI for a decade in various cybersecurity roles, also reviewed Berulis’ extensive technical forensic records and analysis and spoke to NPR about his conclusions.
“All of this is alarming,” he said. I would have to tell the SEC about it if it was a publicly traded company. The timeline of events demonstrates a lack of respect for the institution and for the sensitivity of the data that was exfiltrated. The security risk profile is not reason enough to expose security controls to the internet. They didn’t exercise the more prudent standard practice of copying the data to encrypted and local media for escort.”
Experts interviewed by NPR acknowledge that there are inefficiencies across government that warrant further review, but they say they don’t see a single legitimate reason that DOGE staffers would need to remove the data from the case management system to resolve those problems.
There is no reason for you to look at the information. Is any agency more efficient? More effective? I am positive. But what you need for that is people who understand what the agency does. Harley Shaiken is a professor at the University of California, Berkeley and specializes in labor and information technology.
I can’t see anything that is different than what the standard procedures for audits do, which is to look for fraud and waste, and I think that the results will actually serve the function of auditing.
“The mismatch between what they’re doing and the established, professional way to do what they say they’re doing … that just kind of gives away the store, that they are not actually about finding more efficient ways for the government to operate,” Block said.
Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data
Trying to Find a Secret Service: The Loss of Trade Secrets During the Proceedings of the National Labor Relations Board’s Investigative Investigation
For labor law experts, the mere possibility that sensitive records were copied is a serious danger that could create a chilling effect for employees everywhere who turn to the National Labor Relations Board for protection.
The director of labor education research at Cornell University said it was “incredibly intimidating” if they said they had access to the data. People are going to say, ‘I don’t want to testify because my employer might get access.’
A child of immigrants fleeing the Soviet Union and Nazi Germany, she has a lot of time to think about how the systems can be weakened under certain circumstances. “You know, there’s this belief that we have these checks and balances … but anyone who’s part of the labor movement should know that’s not true,” she told NPR.
With access to the data, it would make it easier for companies to fire employees for union organizing or keep blacklists of organizers — illegal activities under federal labor laws enforced by the NLRB. But “people get fired in this country all the time for the lawful act of trying to organize a union,” said Block.
It’s not just employees who might suffer if this data got out. Companies also sometimes provide detailed statements on internal business planning and corporate structure in the midst of unfair-labor-practice complaint proceedings. If a company was attempting to fire someone who it alleged had disclosed trade secrets and was fighting an unfair-labor-practice complaint based around that decision, those trade secrets might come up in the board’s investigation too. The information would be useful to others.
“I think it is very concerning,” said Harley Shaiken, professor of labor studies. “It could result in damage to individual workers, to union-organizing campaigns and to unions themselves,” he said.
Doing business with the NLRB: Trump’s confiding interests and the FOX Hannity interview with Trump, Musk, and Harvard Law’s Block
Trump and Musk, during an interview with Fox News’s Sean Hannity, said Musk would recuse himself from anything involving his companies. “I haven’t asked the president for anything ever,” Musk said. “I’m getting a sort of a daily proctology exam here. I don’t think I’ll be getting away with something in the dead of night. However, DOGE has been granted high-level access to a lot of data that could benefit Musk, and there has been no evidence of a firewall preventing misuse of that data.
Sen. Chris Murphy, D-Conn. raised his concerns about Musk accessing sensitive labor investigation data on cases against his companies or competitors during the confirmation hearing for Trump’s labor secretary, Lori Chavez-DeRemer, in mid-February. He pressed her to answer whether she believed the NLRB is constitutional and to commit to keeping sensitive data confidential. She insisted that Trump had the power to use it, even though she said she was committed to privacy.
“As an agency protecting employee rights, the NLRB respects its employee’s right to bring whistleblower claims to Congress and the Office of Special Counsel, and the Agency looks forward to working with those entities to resolve the complaints,” said Bearese, the agency’s acting spokesperson, in a statement.
In addition to sending DOGE to the NLRB, the Trump administration tried to neutralize the board’s power to enforce labor law by removing its member Gwynne Wilcox. The issue of whether Wilcox’s removal was legal has been debated by courts for years.
“It’s not that he’s a random person who’s getting information that a random person shouldn’t have access to,” said Harvard Law’s Block. “If they got everything, he will have information about the cases that the government is building against him,” she said.
DOGE is headed by a person who is subject to active investigation and prosecution of cases, whether or not they admit it or not. It is incredibly troubling,” she said.
xai might benefit from taking all the data that was collected by DOGE. Cybersecurity experts like Bruce Schneier, a well-known cryptographer and adjunct lecturer at the Harvard Kennedy School, have pointed to this concern at length in interviews and written pieces.
According to two federal government sources who were not authorized to speak publicly about their workplaces and who shared email documentation with NPR, managers have consistently been warning employees that their data could be subject to AI review, particularly their email responses to the Musk-led campaign to get federal employees to detail “what they did last week” in five bullet points every Monday.
“It isn’t like a flight of imagination to see some DOGE staffers make a deal with Musk to give him some of that data” said Shaiken.
“Both criminals and foreign adversaries traditionally have used information like this to enrich themselves through a variety of actions,” explained Handorf, the former FBI cyber official. Intellectual property theft, espionage, and even harming a company are just a few of the things that include blackmail.
On their own, a few failed login attempts from a Russian IP address aren’t a smoking gun, those cybersecurity experts interviewed by NPR said. It is concerning that foreigners may be looking for ways into the government systems that DOGE engineers may have left exposed.
“When you move fast and break stuff, the opportunity to ride the coattails of authorized access is ridiculously easy to achieve,” said Handorf. He thinks that if DOGE engineers left access points open it would be easy for spies or criminals to steal data from the network.
“This is exactly why we usually architect systems using best practices like the principle of least privilege,” Ann Lewis, the former director of Technology Transformation Services at the General Services Administration, told NPR in an interview. The principle of least privilege is a fundamental Cybersecurity concept that states that users should have only the minimum rights, roles and permissions required to do their job. It helps protect access to high value data and assets by preventing unauthorized access, accidental damage from user errors and malicious actions.
Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data
She’s a Girl Scout: A Case Study of the Interior Department Cyber Security and Infrastructure Secuirty at the NLRB
The Cybersecurity and Infrastructure Secuirty Agency has been forced to relocate or be put on administrative leave by the Interior Department, despite the fact that officials have already resigned or been fired. That has limited their power to respond to the ongoing disruptions or keep track of what DOGE is doing.
She noticed a pattern when she heard about how DOGE engineers operated at the NLRB.
She said she was trembling after learning that the data from the NLRB could be exposed. “They can get every piece of whistleblower testimony, every report, everything. This is not good.
“Our cyber teams are pissed because they have to sit on their hands when every single alarm system we have regarding insider threats is going off,” said one employee at an agency of the Interior Department who requested anonymity, fearing retribution. The employee said that Cybersecurity teams wanted to shut off the new users’ access but were ordered to stand down.
Meanwhile, in a letter published on March 13 on Federal News Network, 46 former senior officials from the General Services Administration, one of the government agencies hardest hit by DOGE’s cost-cutting efforts and that oversees nearly all federal buildings and purchasing, wrote that they believed “highly-sensitive IT systems are being put at risk and sensitive information is being downloaded to unknown, unvetted external sources in clear violation of privacy and data-protection rules.”
The privacy act was enacted in the 50’s because Congress realized that the federal government was overreaching with information and needed some control over it. “The information silos are there for a reason,” he continued.
According to Berulis, it was important to speak out in order to know how vulnerable the government’s data and computer systems are. Berulis says that he would have been terminated for operating like DOGE as an IT consultant.
He said, “I believe this goes far beyond just case data.” I am aware of people who have seen similar behavior at other agencies. I am pretty sure that this is happening at other agencies as well.
“My goal was not to focus on me but to let them know about things that they don’t know about, things that you don’t typically look for, unless you know where to look,” he said.
Putting it out there, but never forget: the DOGE investigation of a request for more information from Berulis and possible attackers
Berulis had a simple request for the DOGE engineers: “Be transparent. If you have nothing to hide, don’t destroy logs. Efficiency is what it’s about if you are open. If this is all a huge misunderstanding, then just prove it. Put it out there. That’s all I’m asking.”
“This could just be the start of the operation. … They still haven’t crossed that boundary where they’re plugged into every federal system out there,” he continued. “So maybe there is still time.”
According to the disclosure, someone had disabled controls that would prevent insecure or unauthorized mobile devices from logging on to the system without the proper security settings. The internet interface could have allowed malicious actors to access their systems. The internal alerting and monitoring systems were manually turned off. Multifactor authentication was disabled.
She continued that having a list of key organizers and potential members of a union would make it easier.