Whistleblower Discloses DOGE Exfiltration of Data from NLRB and More

A whistleblower account broke out detailing intrusion into National Labor Relations Board systems by Elon Musk’s DOGE, disabling of security barriers, exfiltration of data and apparently associated access attempts from Russia.

The “Department of Government Efficiency” is a subset of a White House IT team, not a government department.

National Public Radio published an exhaustive article based on whistleblower Daniel Berulis’ disclosures to Congress and the Office of Special Counsel, supplemented by an interview with NPR and approximately 30 other sources.

After getting into NLRB systems, DOGE members demanded special login accounts with the highest level of privileges and permissions for their use. These allowed them to unrestricted power to read, copy and alter data. When IT staff wanted to create those accounts in a way that logs activity, DOGE told them to stay out of the way. DOGE turned off multifactor authentication, disabled monitoring and deleted records that logged their access. Cybersecurity experts told NPR such behavior is typical of criminal or state-sponsored hackers. There is no legitimate reason to turn off the logging of user activities.

Soon after DOGE’s accounts were created, an IP address in Russia attempted to log in using the valid username and password of one of the DOGE accounts. System policy prohibiting login from outside the USA blocked the Russian login, which was attempted at least 20 times.

DOGE installed a “container,” a virtual computer that could run software without showing the rest of the network what it was doing. DOGE could use it like an invisibility cloak for their work and deleting it when they left wiped out all record of what it did.

Berulis noticed DOGE engineer Jordan Wick was working on a project in GitHub which had the name NxGenBdoorExtract. As soon as journalist Roger Sollenberger began to post on X (formerly Twitter) about it, Wick closed the project to public view.

One of the most sensitive databases in NLRB is the internal case management system, called NxGen. The name of Wick’s project suggests he was building a back door for NxGen to extract data from through an abnormal mechanism that leaves no tracks.

NxGen holds proprietary data far from public eyes. It includes information from corporate competitors, personal data about labor union members and employees voting about unionizing a workplace, and witness testimony. Its data is shielded by multiple federal laws including the Privacy Act.

Berulis kept screen captures showing a spike in access to NLRB NxGen data followed by about 10 GB of data, roughly equivalent to an encyclopedia if printed, leaving NLRB to an unknown external destination. No one at NLRB had been migrating large amounts of data or saving backups.

Logs that monitor outbound traffic from the system were missing so the outbound data transmission was not logged. Some activities DOGE did were not attributed to any account and those that were pointed only to deleted account.

NLRB’s team formally initiated a breach investigation. They prepared to request help from the Cybersecurity and Infrastructure Security Agency. Berulis said that was “disrupted” without explanation.

Preparing the request to CISA led to someone “physically taping a threatening note” to Berulis’ door. It included sensitive personal information and overhead photos which appeared to be taken with a drone and showed him walking with his dog. The note specifically mentioned his report of the breach to others. He had recently moved, had only been at the new address a couple of months and had updated his address in only a couple of places, most notably at the Office of Personnel Management. He had not even notified his bank yet.

NLRB databases contain sensitive data about labor unions, legal cases and corporate secrets. Such data almost never leaves the agency. It has no relevance to the pursuit of government efficiency or rooting out fraud that DOGE claims as its mission.

After about a week, DOGE left and deleted its accounts. They did leave some traces behind.

Berulis found at least one of the DOGE accounts used to access NLRB’s cloud systems, hosted by Microsoft, was “DogeSA_2d5c3e0446f9@nlrb.microsoft.com“.

Although the agency’s press secretary immediately denied everything, Berulis kept forensic data and records of his discussions with colleagues. He has evidence to support his assertions.

NPR contacted 11 sources with direct knowledge of internal operations in federal agencies across government. They share Berulis’ concerns. Some of them have seen evidence of DOGE exfiltrating other sensitive data.

Jake Braun, executive director of the Cyber Policy Initiative at the University of Chicago’s Harris School of Public Policy and former White House acting principal deputy national cyber director, said about the situation that “If he didn’t know the backstory, any [chief information security officer] worth his salt would look at network activity like this and assume it’s a nation-state attack from China or Russia.”

There are many more details to what DOGE did, such as taking a copy of contact information for external lawyers with a record of working with NLRB.

Musk has multiple cases in progress that involve NLRB. Some of the lawyers from his company SpaceX have recently gotten government jobs and initiated a lawsuit attempting to disband NLRB, claiming its structure is unconstitutional.

This fits into a pattern in which agency after government agency with current or past history attempting to hold Musk’s companies to account for violations of laws or regulations has been hamstrung, sometimes specifically in the portion of the agency contending with his companies.

Click here for many more details.