This whole article reads like a comedy. Hidden accounts, login attempts from Russia (they can't afford IP addresses elsewhere?), and then there is this:
"Berulis told KrebsOnSecurity he was in the process of filing a support ticket with Microsoft to request more information about the DOGE accounts when his network administrator access was restricted. Now, he’s hoping lawmakers will ask Microsoft to provide more information about what really happened with the accounts."
Why does Microsoft have login and account information for a government institution? I'd prefer a mainframe without Windows or Internet access in the basement.
It's interesting, because Edward Coristine was fired "cybersecurity firm Path Network in 2022 for allegedly leaking internal company information to a competitor" [1]. Seems like an ideal candidate for recruitment by a foreign espionage service. And he'd used accounts on a cybercrime social network [2]. How in the world is this person still able to work anywhere near the government?
But if Russian spies wanted to access US Gov resources, why would they use their own IPs as the origin? Unless getting caught was deliberate, to foment discord?
DOGE will be an interesting case study in the years to come to say the least. A friend was contacted by them in an attempt to recruit him to help rebuild the nations aviation systems from the ground up as a 1099 contractor reporting directly to Sean Duffy. The recruiter advertised it as a side hustle on evenings and weekends paying an abmysal hourly wage. When my friend pointed out that the comp was far below what he makes, the recruiter countered with the prestige that will come with having worked for DOGE.
The story has been posted twice, yes. The first submission[0] is ~10 hours older and has 3 comments on it. This one has 348 comments at time of writing. If you care about having an interesting discussion, this one's clearly where it's at.
> Berulis found that on March 3 one of the DOGE accounts created an opaque, virtual environment known as a “container,” which can be used to build and run programs or scripts without revealing its activities to the rest of the world. Berulis said the container caught his attention because he polled his colleagues and found none of them had ever used containers within the NLRB network.
Is it me or does this sound like someone trying to create a Russia connection here? Why whould Russian intelligence do this so amateurishly? As if they want to get caught. - Cui bono?
I'm a cyber security incident responder. Firstly, let me claim my bias - I don't trust Kerbs after his FUD reporting about the CVE totally not losing funding. I started my cyber career in federal government contracting as a SOC Analyst and eventually became an incident responder.
My first doubt - the NLRB has a SOC ran by an MSSP/government contractor. Data destruction events and anomalous connections would 10000% cause security event alerts to trigger. Sentinel has OOB detection for anomalies for events that the whistle blower states in the article.
My Second doubt - CISA and US-CERT are not a bunch for scrubs. If their official statement is that it's not a security incident then I trust them.
Third doubt - If you see something suspicious then you have every right to report it to the SOC, and contain the suspicious activity to the best of your ability. If you don't have permissions then report it to the SOC. All malicious activity gets investigated (unless the MSSP is a joke but then they become liable and will get sued if it turns into an incident that results in damages).
Fourth doubt - Kerbs and the whistleblower are framing this as a sophisticated nation-state attack leveraging DOGE to exploit the NLRB. But that doesn’t add up. Nation-state actors don’t blow their cover because they proxy with clean IPs from within the target country. The IP address in question (83.149.30[.]186) has had a bad reputation in open-source intelligence for over a year, linked to credential stuffing and scanning activity. Using an IP like that in a high-level operation is like flying a spy plane into enemy airspace with inflatable tube men and disco balls strapped to the wings. Attacks of this complexity require significant time and resources—no serious actor would risk burning their investment by using an IP already flagged and based in Russia.
Last doubt - The "Security Engineer" took a screenshot of the user names then gave it to the media....You're expecting me to trust what you say while you commit a data leak - nice one.
Notice that the email from the deputy CIO mentions SCuBA.This is the "Secure Cloud Business Application Project" from CISA.If you look at two of the required policies you will find this:
"A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role."[1]
and
"Privileged users SHALL be provisioned with finer grained roles instead of Global Administrator."[2]
So at least for the agency-wide removal of security administrator roles, that would seem to be unrelated to anything DOGE was doing. The NLRB was supposed to be doing that anyway.
Removing admin from people who don't need it is 100% the correct thing to do according to any IT guidelines you could quote. And of course, every single user will whine that they're special and really really need it.
With regards to the rest of the article, there's definitely stuff to be investigated here but I don't see the investigation yet.
The screenshot of email from DCIO is what should be getting rolled out. This is not suspicious by itself from my perspective. SCuBA is a CISA project that improves security.
> “Our acting chief information officer told us not to adhere to standard operating procedure with the DOGE account creation, and there was to be no logs or records made of the accounts created for DOGE employees, who required the highest level of access,” Berulis wrote of their instructions after that meeting.
There is a small but significant chance that this whole admin's activities might be revealed without doubt as sponsored and facilitated by Russia. That may or may not result in a proper war with Russia. Either way, it would be scarily devastating.
Hard to see how this whole fiasco won't end up in charges at very least for negligence. Easy to see why leadership is signaling they have nothing to do with DOGE but are letting their engineers take the heat
I am Dutch and know of at least one pretty harsh lawsuit against a former employee of Tesla with autism against Tesla in the Netherlands regarding the work environment, sooo...
Also baffled they can still do shit like this with Senate and Congress looking the other way...
DOGE needed to hide its activities while it collected data for the president so that the private citizens chosen by his associates can run analytics on it offsite and decide which cases to pursue. And Russia has a login because they are friendly to the new era of American interests.
It sounds so stupid, I can’t believe people still support this madness…
How do you stop kleptocracy from destroying democracy?
The USA is an authoritarian country de facto now, though there should be a lot of rail-guards, which should prevent this from happening ... Nobody cares?
This is not about cyber security, this is about getting union activity data to the oligarchs. Russian IP's are a useful, probably unintentional, nugget that distracts people from what happened here.
Labor actions is the most powerful tool that ordinary people have and this is an effort to take that away. Citizens are already being kidnapped. Dissenter legal immigrants are being dissappeared.
Anyone that believes the administration is doing any business other than seizing more power is a useful tool.
This was on the front page and mysteriously dropped off. I don't know the mechanism for this so it is most likely innocent and the system working as planned but I do find it odd that every post critical of the Trump administration gets flagged or gets dropped off the front page.
Lots of government employees are committing real-deal, federal penitentiary crimes here. While Trump is in power, they won’t be convicted, much less investigated.
How much incentive do they have to continue to commit as much crime as possible in order to keep Trump in power?
Every single story you read about these sorts of things os not only a horrible violation of constitutional rights and the rule of law, it is the creation of an army of incredibly dangerous people who desperately want trump to remain in power and can commit crimes with impunity in order to keep him there.
The Russian IPs may also be a ploy by people at DOGE to cause doubt about the security of the NLRB to get play at a court in order to not disclose company secrets required for cases.
I guess DOGE wanted to write a report how they saw Russian IPs login in but it back fired because the people at NLRB have proof DOGE created the accounts.
Cybersecurity is not my main field but this sounds beyond suspicious.
> Berulis [...] and his colleagues grew even more alarmed when they noticed nearly two dozen login attempts from a Russian Internet address (83.149.30,186) that presented valid login credentials for a DOGE employee account — one that had been created just minutes earlier. Berulis said those attempts were all blocked thanks to rules in place that prohibit logins from non-U.S. locations.
> “Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating,” Berulis wrote. “There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers.”
Somehow each paragraph reveals something even worse than the last.
> Berulis [...] and the associate CIO were informed that “instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report.” Berulis said it was at this point he decided to go public with his findings.
At this point, the number of probable explanations for antics DOGE in particular and the administration in general are close to zero.
One somewhat far fetched(till recently) explanation floated for the all out war on institutions waged by the Trump administration is that the goal is to destroy the last remaining entity in this country that is capable of standing up to corporations. The idea seemed laughable just a couple of months back. The fact that it seems very probable now shows just how bad the situation is.
At what point will Congress act? Or will they simply sit by as the country is destroyed from the inside?
America is being hacked by Russians while the authorities are watching, and nobody is doing anything to prevent it. Trump is obviously more involved in Russia's "greatness" than America's. It seems the cloud data nightmare - "[...] What if Adolf Hitler had access to all the data that is available today [...]" - is coming true. Perhaps we are witnessing the beginning of the end of "all things cloud."
When this story first broke, my initial thought was that Elon was using this unprecedented and probably illegal access to access case data to benefit his companies and possibly others [1], most specifically for Tesla where unionization remains a threat to profits [2].
I don't know what the Russia connection is. Blue MAGA types like to contend that Trump is a Russian asset. There are definitely some weird connections going back to Trump purchasing TVs for a hotel in the 1980s [3] and some weird timings of the movements of Viktor Orban between Putin and Trump [4] but I just don't buy the Russian asset narrative.
I consider it way more likely that individual DOGE people have been compromised by foreign actors and possibly without their knowedge (eg compromised email or computers).
We're only 3 months into this. The amount of damage that is going to be done over the next 4 years is hard to comprehend.
Whistleblower: DOGE Siphoned NLRB Case Data
(krebsonsecurity.com)809 points by whalesalad 22 April 2025 | 452 comments
Comments
https://news.ycombinator.com/item?id=43691142
"Berulis told KrebsOnSecurity he was in the process of filing a support ticket with Microsoft to request more information about the DOGE accounts when his network administrator access was restricted. Now, he’s hoping lawmakers will ask Microsoft to provide more information about what really happened with the accounts."
Why does Microsoft have login and account information for a government institution? I'd prefer a mainframe without Windows or Internet access in the basement.
But if Russian spies wanted to access US Gov resources, why would they use their own IPs as the origin? Unless getting caught was deliberate, to foment discord?
[1] https://en.wikipedia.org/wiki/Edward_Coristine
[2] https://krebsonsecurity.com/2025/02/teen-on-musks-doge-team-...
The story has been posted twice, yes. The first submission[0] is ~10 hours older and has 3 comments on it. This one has 348 comments at time of writing. If you care about having an interesting discussion, this one's clearly where it's at.
[0] https://news.ycombinator.com/item?id=43758392
This feels funny to read, for some reasons.
Is it me or does this sound like someone trying to create a Russia connection here? Why whould Russian intelligence do this so amateurishly? As if they want to get caught. - Cui bono?
My first doubt - the NLRB has a SOC ran by an MSSP/government contractor. Data destruction events and anomalous connections would 10000% cause security event alerts to trigger. Sentinel has OOB detection for anomalies for events that the whistle blower states in the article.
My Second doubt - CISA and US-CERT are not a bunch for scrubs. If their official statement is that it's not a security incident then I trust them.
Third doubt - If you see something suspicious then you have every right to report it to the SOC, and contain the suspicious activity to the best of your ability. If you don't have permissions then report it to the SOC. All malicious activity gets investigated (unless the MSSP is a joke but then they become liable and will get sued if it turns into an incident that results in damages).
Fourth doubt - Kerbs and the whistleblower are framing this as a sophisticated nation-state attack leveraging DOGE to exploit the NLRB. But that doesn’t add up. Nation-state actors don’t blow their cover because they proxy with clean IPs from within the target country. The IP address in question (83.149.30[.]186) has had a bad reputation in open-source intelligence for over a year, linked to credential stuffing and scanning activity. Using an IP like that in a high-level operation is like flying a spy plane into enemy airspace with inflatable tube men and disco balls strapped to the wings. Attacks of this complexity require significant time and resources—no serious actor would risk burning their investment by using an IP already flagged and based in Russia.
Last doubt - The "Security Engineer" took a screenshot of the user names then gave it to the media....You're expecting me to trust what you say while you commit a data leak - nice one.
"A minimum of two users and a maximum of eight users SHALL be provisioned with the Global Administrator role."[1]
and
"Privileged users SHALL be provisioned with finer grained roles instead of Global Administrator."[2]
So at least for the agency-wide removal of security administrator roles, that would seem to be unrelated to anything DOGE was doing. The NLRB was supposed to be doing that anyway.
[1] https://www.cisa.gov/resources-tools/services/m365-entra-id#... [2] https://www.cisa.gov/resources-tools/services/m365-entra-id#...
Source: https://www.cisa.gov/resources-tools/services/secure-cloud-b...
How can this be true?
Also baffled they can still do shit like this with Senate and Congress looking the other way...
DOGE needed to hide its activities while it collected data for the president so that the private citizens chosen by his associates can run analytics on it offsite and decide which cases to pursue. And Russia has a login because they are friendly to the new era of American interests.
It sounds so stupid, I can’t believe people still support this madness…
Labor actions is the most powerful tool that ordinary people have and this is an effort to take that away. Citizens are already being kidnapped. Dissenter legal immigrants are being dissappeared.
Anyone that believes the administration is doing any business other than seizing more power is a useful tool.
How much incentive do they have to continue to commit as much crime as possible in order to keep Trump in power?
Every single story you read about these sorts of things os not only a horrible violation of constitutional rights and the rule of law, it is the creation of an army of incredibly dangerous people who desperately want trump to remain in power and can commit crimes with impunity in order to keep him there.
I guess DOGE wanted to write a report how they saw Russian IPs login in but it back fired because the people at NLRB have proof DOGE created the accounts.
EDIT: edited for clarity.
> Berulis [...] and his colleagues grew even more alarmed when they noticed nearly two dozen login attempts from a Russian Internet address (83.149.30,186) that presented valid login credentials for a DOGE employee account — one that had been created just minutes earlier. Berulis said those attempts were all blocked thanks to rules in place that prohibit logins from non-U.S. locations.
> “Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating,” Berulis wrote. “There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers.”
Somehow each paragraph reveals something even worse than the last.
> Berulis [...] and the associate CIO were informed that “instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report.” Berulis said it was at this point he decided to go public with his findings.
One somewhat far fetched(till recently) explanation floated for the all out war on institutions waged by the Trump administration is that the goal is to destroy the last remaining entity in this country that is capable of standing up to corporations. The idea seemed laughable just a couple of months back. The fact that it seems very probable now shows just how bad the situation is.
At what point will Congress act? Or will they simply sit by as the country is destroyed from the inside?
I don't know what the Russia connection is. Blue MAGA types like to contend that Trump is a Russian asset. There are definitely some weird connections going back to Trump purchasing TVs for a hotel in the 1980s [3] and some weird timings of the movements of Viktor Orban between Putin and Trump [4] but I just don't buy the Russian asset narrative.
I consider it way more likely that individual DOGE people have been compromised by foreign actors and possibly without their knowedge (eg compromised email or computers).
We're only 3 months into this. The amount of damage that is going to be done over the next 4 years is hard to comprehend.
[1]: https://news.ycombinator.com/item?id=43701222
[2]: https://www.businessinsider.com/tesla-pay-vs-ford-gm-uaw-uni...
[3]: https://www.youtube.com/watch?v=O1FHtBu5H8w&t=36s
[4]: https://www.axios.com/2024/07/12/trump-orban-meeting-mar-a-l...