> 21. On or about March 11, 2025, NxGen metrics indicated abnormal usage at points the prior week. I saw way above baseline response times, and resource utilization showed increased network output above anywhere it had been historically – as far back as I could look. I noted that this lined up closely with the data out event. I also notice increased logins blocked by access policy due to those log-ins being out of the country. For example: In the days after DOGE accessed NLRB’s systems, we noticed a user with an IP address in Primorskiy Krai, Russia started trying to log in. Those attempts were blocked, but they were especially alarming. Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating. There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers.
My read on this is that one or more of the DOGE engineers is either using compromised hardware (more likely) or is themselves compromised (less likely).
Why would you say that? More than one DOGE engineer has been linked to cyber-crime gangs. I don't think it's the biggest stretch to say they're already "morally ambiguous" and not above taking foreign money.
Because he read DOGE "engineers" profile, and likely either recognized himself in some of them, or knew people like them, and the likehood of self-important script kiddies having compromised hardware is close to like 60%.
Especially for those older than 16 i've noticed. You have like an inert dunning kruger effect (you start midly arrogant, your arrogance grow and grow until you trule learn some skills and your arrogance decrease, slowly.) I like my red team friends in general, but if you just graduated from script kiddy to a real job: people mostly entertain/endure you because they know you will grow out of it, but the faster you do, the better.
I was a script kid back in the day. There's a non-zero (i would argue pretty large) chance that they're sharing these credentials in real time with random discord/signal chat rooms. In these communities, access is the currency, and I have no conviction that "big balls" is bound by his duties as a public servant.
> while my client and my team were preparing this disclosure, someone physically taped a threatening note to Mr. Berulis’ home door with photographs – taken via a drone – of him walking in his neighborhood. The threatening note made clear reference to this very disclosure he was preparing for you, as the proper oversight authority.
Cybersecurity "expert" here. This seems to be under-hyped, if possible. If there were login attempts that even appeared to be coming from Russia using valid credentials that were created less than an hour before, it can really only be explained by collusion or an attacker having visibility into the process that created the credentials in the first place.
The fact that the traffic appeared to be coming from Russia isn't particularly compelling, as it's very easy to make your web traffic appear to be coming from another country. But I struggle to understand why a legitimate user of those credentials would willfully make their legitimate use of government systems appear to be coming from an adversary.
From a cursory read, it says "DOGE came in, were given super-admin access without following procedures, and without a written track, and then plenty of logging was disabled and strange stuff started appearing".
If you ask me, it's the equivalent of the FBI inviting themselves into your home, telling you to "not come back until tomorrow" and then bugging it cellar to roof.
Obviously you have to trust the guy, but if you do this part is already extremely damning.
>received a call during which an ACIO stated instructions were given that
we were not to adhere to SOP with the doge account creation in regards to creating records. He specifically was told that there were to be no logs or records made of the accounts created for DOGE employees. DOGE officials required the highest level of access and unrestricted access to internal systems. They were to be given what are referred to as “tenant owner” level accounts
If you seek the opinion of a "security expert" I'd recommend reading the sworn affidavit in Exhibit A. He seems competent, and perjury there seems less likely than here on HN. It's quite well formulated.
I mostly make tooling for the blue team, so i'm not a true expert. The network part is correct, that's how you would do it, the rest i'm not competent except to judge the security practices.
It seems the witleblower is _very_ competent and the story checks out (i know only two persons that could do that alone and that quick and they are true greybeards who've seen it all). Impressive work.
So either he is very well prepared and built an extremely good lie (frankly i don't see why, his discoveries will be audited and the only stuff he did was show how good of an engineer he is), or US government systems are indeed breached, and probably because of those "DOGE" accounts. Is it by malice, greed or incompetence? Malice is out imho, my bet is on incompetence.
still feels like until we get some more grounded evidence, it's speculation:
"Mr. Berulis is coming forward today because of his concern that recent activity by members of the Department of Government Efficiency (“DOGE”) have resulted in a significant cybersecurity breach that likely has and continues to expose our government to foreign intelligence and our nation’s adversaries"
> This declaration details DOGE activity within NLRB, the exfiltration of data from NLRB systems, and – concerningly – near real-time access by users in Russia. Notably, within minutes of DOGE personnel creating user accounts in NLRB systems, on multiple occasions someone or something within Russia attempted to login using all of the valid credentials (eg. Usernames/Passwords). This, combined with verifiable data being systematically exfiltrated to unknown servers within the continental United States – and perhaps abroad – merits investigation.
> Furthermore, on Monday, April 7, 2025, while my client and my team were preparing this disclosure, someone physically taped a threatening note to Mr. Berulis’ home door with photographs – taken via a drone – of him walking in his neighborhood. The threatening note made clear reference to this very disclosure he was preparing for you, as the proper oversight authority. While we do not know specifically who did this, we can only speculate that it involved someone with the ability to access NLRB systems. This “meat space” action – where a threat was physically delivered to my client’s home – is absolutely disturbing in its manner and the implications suggested therein. Accordingly, and we have been and will continue to be coordinating with appropriate law enforcement agencies.
> 21. On or about March 11, 2025, NxGen metrics indicated abnormal usage at points the prior week. I saw way above baseline response times, and resource utilization showed increased network output above anywhere it had been historically – as far back as I could look. I noted that this lined up closely with the data out event. I also notice increased logins blocked by access policy due to those log-ins being out of the country. For example: In the days after DOGE accessed NLRB’s systems, we noticed a user with an IP address in Primorskiy Krai, Russia started trying to log in. Those attempts were blocked, but they were especially alarming. Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating. There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers.
My read on this is that one or more of the DOGE engineers is either using compromised hardware (more likely) or is themselves compromised (less likely).
> or is themselves compromised (less likely)
Why would you say that? More than one DOGE engineer has been linked to cyber-crime gangs. I don't think it's the biggest stretch to say they're already "morally ambiguous" and not above taking foreign money.
Because he read DOGE "engineers" profile, and likely either recognized himself in some of them, or knew people like them, and the likehood of self-important script kiddies having compromised hardware is close to like 60%.
Especially for those older than 16 i've noticed. You have like an inert dunning kruger effect (you start midly arrogant, your arrogance grow and grow until you trule learn some skills and your arrogance decrease, slowly.) I like my red team friends in general, but if you just graduated from script kiddy to a real job: people mostly entertain/endure you because they know you will grow out of it, but the faster you do, the better.
I was a script kid back in the day. There's a non-zero (i would argue pretty large) chance that they're sharing these credentials in real time with random discord/signal chat rooms. In these communities, access is the currency, and I have no conviction that "big balls" is bound by his duties as a public servant.
[dead]
> while my client and my team were preparing this disclosure, someone physically taped a threatening note to Mr. Berulis’ home door with photographs – taken via a drone – of him walking in his neighborhood. The threatening note made clear reference to this very disclosure he was preparing for you, as the proper oversight authority.
This is INSANE stuff
[dead]
Any opinions from cybersecurity experts? Is this concerning or over-hyped drama?
Cybersecurity "expert" here. This seems to be under-hyped, if possible. If there were login attempts that even appeared to be coming from Russia using valid credentials that were created less than an hour before, it can really only be explained by collusion or an attacker having visibility into the process that created the credentials in the first place.
The fact that the traffic appeared to be coming from Russia isn't particularly compelling, as it's very easy to make your web traffic appear to be coming from another country. But I struggle to understand why a legitimate user of those credentials would willfully make their legitimate use of government systems appear to be coming from an adversary.
From a cursory read, it says "DOGE came in, were given super-admin access without following procedures, and without a written track, and then plenty of logging was disabled and strange stuff started appearing".
If you ask me, it's the equivalent of the FBI inviting themselves into your home, telling you to "not come back until tomorrow" and then bugging it cellar to roof.
Obviously you have to trust the guy, but if you do this part is already extremely damning.
>received a call during which an ACIO stated instructions were given that we were not to adhere to SOP with the doge account creation in regards to creating records. He specifically was told that there were to be no logs or records made of the accounts created for DOGE employees. DOGE officials required the highest level of access and unrestricted access to internal systems. They were to be given what are referred to as “tenant owner” level accounts
If you seek the opinion of a "security expert" I'd recommend reading the sworn affidavit in Exhibit A. He seems competent, and perjury there seems less likely than here on HN. It's quite well formulated.
I mostly make tooling for the blue team, so i'm not a true expert. The network part is correct, that's how you would do it, the rest i'm not competent except to judge the security practices.
It seems the witleblower is _very_ competent and the story checks out (i know only two persons that could do that alone and that quick and they are true greybeards who've seen it all). Impressive work.
So either he is very well prepared and built an extremely good lie (frankly i don't see why, his discoveries will be audited and the only stuff he did was show how good of an engineer he is), or US government systems are indeed breached, and probably because of those "DOGE" accounts. Is it by malice, greed or incompetence? Malice is out imho, my bet is on incompetence.
still feels like until we get some more grounded evidence, it's speculation:
"Mr. Berulis is coming forward today because of his concern that recent activity by members of the Department of Government Efficiency (“DOGE”) have resulted in a significant cybersecurity breach that likely has and continues to expose our government to foreign intelligence and our nation’s adversaries"
operative words here being "likely has"
More discussion from last week: https://news.ycombinator.com/item?id=43691142
> This declaration details DOGE activity within NLRB, the exfiltration of data from NLRB systems, and – concerningly – near real-time access by users in Russia. Notably, within minutes of DOGE personnel creating user accounts in NLRB systems, on multiple occasions someone or something within Russia attempted to login using all of the valid credentials (eg. Usernames/Passwords). This, combined with verifiable data being systematically exfiltrated to unknown servers within the continental United States – and perhaps abroad – merits investigation.
> Furthermore, on Monday, April 7, 2025, while my client and my team were preparing this disclosure, someone physically taped a threatening note to Mr. Berulis’ home door with photographs – taken via a drone – of him walking in his neighborhood. The threatening note made clear reference to this very disclosure he was preparing for you, as the proper oversight authority. While we do not know specifically who did this, we can only speculate that it involved someone with the ability to access NLRB systems. This “meat space” action – where a threat was physically delivered to my client’s home – is absolutely disturbing in its manner and the implications suggested therein. Accordingly, and we have been and will continue to be coordinating with appropriate law enforcement agencies.