🧵 THREAD: A federal whistleblower just dropped one of the most disturbing cybersecurity disclosures I’ve ever read.
He's saying DOGE came in, data went out, and Russians started attempting logins with new valid DOGE passwords
Media's coverage wasn't detailed enough so I dug into his testimony:
Apr 18, 2025 00:10Who’s the whistleblower?
Daniel Berulis — a senior DevSecOps architect at the National Labor Relations Board (NLRB), formerly with TS/SCI clearance.
He just told Congress the Department of Government Efficiency (DOGE) pulled off a covert cyber op inside a federal agency.
DOGE demanded root access.
Not auditor access. Not admin.
They were given “tenant owner” privileges in Azure — full control over the NLRB’s cloud, above the CIO himself.
This is never supposed to happen.
They disabled the logs.
Berulis says DOGE demanded account creation with no recordkeeping.
They even ordered security controls bypassed and disabled tools like network watcher so their actions wouldn’t be logged.
And then the data started flowing out.
10+ GB spike in outbound traffic
Exfiltration from NxGen, the NLRB's legal case database
No corresponding inbound traffic
Unusual ephemeral containers and expired storage tokens
They used an external library that used AWS IP pools to rotate IPs for scraping and brute force attacks.
They downloaded external GitHub tools like requests-ip-rotator and browserless — neither of which the agency uses.
The most daming claim in this statement IMO:
Within 15 minutes of DOGE accounts being created…
Attackers in Russia tried logging in using those new creds.
Correct usernames and passwords.
2 options here. The DOGE device was hacked. And I don't think I need to explain the 2nd.
Multi-factor authentication? Disabled.
Someone downgraded Azure conditional access rules — MFA was off for mobile.
This was not approved and not logged.
Cost spikes without new resources.
Azure billing jumped 8% — likely from short-lived high-cost compute used for data extraction, then deleted.
Then came the intimidation.
While preparing this disclosure, Berulis found a drone surveillance photo of himself taped to his front door with a threatening note.
This was just a few days ago.
US-CERT was about to be called in.
CISA’s cyber response team.
But senior officials told them to stand down — no report, no investigation.
I'm going to cover this more as I find out more.
Subscribe to stay up to date:
vulnu.com/subscribe
Vulnerable U
Infosec's favorite weekly newsletter for news, tools, and tips with 25,000+ CISOs, founders, change-makers, and straight up hackers.
adding original reporter to this thread.
I didn't see this story before I wrote my summary. I saw it on NBC/CNN which was lighter on technical detail than I'd have liked so I went straight to the testimony
Apologies Jenna if this came off dismissive of her hard work
bsky.app/profile/jenn...But this also seems insanely obvious at the same time. Of course they were giving Russia access to our data. Why wouldn’t they? They’ve gotten away with doing whatever they want so far
DOGE is full of Russian assets? I'm so shocked. Can't you tell? This is my shocked face. 😐
Does this relate in any way to the OCC breach in February?
Interview with whistleblower:
www.pbs.org/newshour/sho...
NLRB whistleblower claims Musk's DOGE potentially caused significant security breach
The National Labor Relations Board protects workers' right to organize and investigates unfair labor practices. A whistleblower complaint filed by an IT staffer claims Elon Musk and his DOGE team gain...
📌
You missed Maddow. She talked about this. He said there are others that can verify the info too. He has already been threatened.
A whistleblower's disclosure details how DOGE may have taken sensitive labor data
A whistleblower tells Congress and NPR that DOGE may have taken sensitive labor data and hid its tracks. "None of that ... information should ever leave the agency," said a former NLRB official.
I didn't get it from here. Apologies and I've added this to the thread.
But this also seems insanely obvious at the same time. Of course they were giving Russia access to our data. Why wouldn’t they? They’ve gotten away with doing whatever they want so far
