The National Labor Relations Board: What DOGE’s IT Team was telling Congress in releasing confidential data after Berulis’s visit of the NLRB
The office of the National Labor Relations Board in Southeast Washington, D.C. was where advisers from the President’s Department of Government Efficiency arrived in the first days of March.
The small agency investigates and adjudicates complaints about labor practices. It has reams of potentially sensitive data, ranging from confidential information about employees to proprietary business information.
DOGE’s intentions with regard to the NLRB data remain unclear. Many of the systems DOGE embedded itself in across the rest of the government have payment or employment data — information that DOGE could use to evaluate which grants and programs to halt and whom to fire.
The DOGE engineers had little insight into or control over what the IT team was doing, and that was one of the reasons for the meeting. He said that they had no idea what they did. Those conversations are reflected in his official disclosure.
The employees grew concerned that the NLRB’s confidential data could be exposed, particularly after they started detecting suspicious log-in attempts from an IP address in Russia, according to the disclosure. Eventually, the disclosure continued, the IT department launched a formal review of what it deemed a serious, ongoing security breach or potentially illegal removal of personally identifiable information. The hacker thinks the suspicious activity warrants a deeper investigation by agencies with more resources like the FBI and the Cybersecurity and Infrastructure Security Agency.
DOGE appears to still be in the process of visiting federal agencies across the country, including just recently the Securities and Exchange Commission, according to one former government source directly familiar with the matter who requested anonymity to share information they weren’t authorized to share. Across the government, it’s unclear how much sensitive data has been removed and collected and combined.
The agency’s acting press secretary, Tim Bearese, denied that the agency granted any access to the agency’s systems to DOGE. Bearese said the agency conducted an investigation after Berulis raised his concerns but “determined that no breach of agency systems occurred.”
When did Berulis Open the National Labor Relations Board? The story of how he learnt to take apart a machine to figure it out
It’s a familiar story for tech nerds the world over: He methodically took the machine apart “to figure out how it works,” just like he had dissected radios from the thrift store years earlier. “I electrocuted myself once,” he recalled.
A knee injury prevented him from joining the military. He was a volunteer firefighter for some time and gave his time to the rape crisis hotline, answering calls from victims in need of someone to talk to. He told NPR that he had an interest in serving his country.
Berulis had been a technical consultant for many years, including in auditing and modernizing corporate systems, when a job opened up at the National Labor Relations Board.
While Berulis didn’t know a lot, he realized the agency’s purpose was to protect employees’ rights and he wanted to help people.
He started six months before President Trump took the oath of office. Berulis said he secured the cloud-based dataservers and reinforced what is called “zero trust” principles, which means that users are limited to the parts of the system they need in order to do their jobs. If an attacker is able to get hold of a single password, then they can’t access the whole system.
He said it was a dream when he first started. “There was a great opportunity to build up and do some good.” But after the inauguration, he described a “culture of fear” descending over the agency.
Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data
Getting Access to People’s Accounts: A Discriminating Case Against Attack on a Hacker’s Website code.fr
Berulis said he and several colleagues saw a black SUV and police escort enter the garage, after which building security let the DOGE staffers in. They never met most of the IT team while interacting with a small number of staffers.
Berulis was told by his colleagues that employees of the agency wanted the highest level of access to their tenant level accounts inside the independent agency’s computer systems. Those offer essentially unrestricted permission to read, copy and alter data, according to Berulis’ disclosure to Congress.
For cybersecurity professionals, a failure to log activity is a cardinal sin and contradicts best practices as recommended by the National Institute of Standards and Technology and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, as well as the FBI and the National Security Agency.
Digital forensic records can be useful for record keeping, but they also allow experts to investigate potential attacks, sometimes even tracing the attacker’s path back to the vulnerability inside the network. The records can also help experts see what data might have been removed. Basic logs aren’t enough to show the extent of bad actor activities, but they would be a start. There’s no reason for any legitimate user to turn off logging or other security tools, cybersecurity experts say.
“If he didn’t know the backstory, any [chief information security officer] worth his salt would look at network activity like this and assume it’s a nation-state attack from China or Russia,” said Braun, the former White House cyber official.
A graduate of the Massachusetts Institute of Technology and engineer by the name of Jordan Wick had been uploading information about his coding projects to the website code.fr, which allows developers to create, store and collaborate on code
The name Bdoor suggests that it could have been a way to get files from the NLRB case management system, according to several cybersecurity experts.
How the NxGen Network got there, and why. Then the DOGE went out and re-installed the CONtainer
“When I saw this tool, I panicked because I didn’t have a better term,” he said. I kind of had a conniption and said whoa, whoa. He immediately alerted his whole team.
“It definitely seems rather odd to name it that,” said one of the engineers who built NxGen and asked for anonymity so as not to jeopardize their ability to work with the government again. “Or brazen, if you’re not concerned with consequences.”
It would be easier for companies to fire workers for union organizing if they could access the NxGen data. “People get fired for trying to organize a union all the time in this country, and it is legal,” said Block.
That’s partly because, he said, the NLRB isn’t advanced when it comes to detecting insider threats or potentially malicious actors inside the agency itself. “We haven’t evolved to account for those,” he said. “We were looking for [bad actors] outside,” he said.
But he counted on DOGE leaving at least a few traces of its activity behind, puzzle pieces he could assemble to try to put together a picture of what happened — details he included in his official disclosure.
Then, DOGE engineers installed what’s called a “container,” a kind of opaque virtual computer that can run programs on a machine without revealing its activities to the rest of the network. It wouldn’t be a problem, since it allowed the engineers to work without being seen, and it didn’t leave any trace of its activities after it was removed.
His official disclosure states that Berulis began tracking sensitive data leaving the places it was meant to live. He saw a small amount of data leaving the NxGen case management system inside the NLRB system. Then, he saw a large spike in outbound traffic leaving the network itself.
From what he could see, the data leaving, almost all text files, added up to around 10 gigabytes — or the equivalent of a full stack of encyclopedias if someone printed them, he explained. The agency hosts over 10 terabytes of historical data in its database, but it’s not a big chunk of the total data. It’s not clear if the files were consolidated and compressed or if they were removed. It’s also possible that DOGE ran queries looking for specific files in the NLRB’s system and took only what it was looking for, according to the disclosure.
Regardless, that kind of spike is extremely unusual, Berulis explained, because data almost never directly leaves from the NLRB’s databases. In his disclosure, Berulis shared a screenshot tracking data entering and exiting the system, and there’s only one noticeable spike of data going out. He confirmed that no backups or data migrates had been done that week.
Even when external parties like lawyers or overseers like the inspector general are granted guest accounts on the system, it’s only to view the files relevant to their case or investigation, explained labor law experts who worked with or at the NLRB, in interviews with NPR.
DOGE leaks sensitive labor information: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data,” Berulis tells NPR
In the days after Berulis and his colleagues prepared a request for CISA’s help investigating the breach, Berulis found a printed letter in an envelope taped to his door, which included threatening language, sensitive personal information and overhead pictures of him walking his dog, according to the cover letter attached to his official disclosure. It’s unclear who sent it, but the letter made specific reference to his decision to report the breach. Law enforcement is investigating the letter.
Bakaj, Berulis’ lawyer, told NPR in a written statement: “This case has been particularly sensitive as it involves the possibility of sophisticated foreign intelligence gaining access to sensitive government systems, which is why we went to the Senate Intelligence Committee directly.”
Berulis was able to uncover some unnerving details about what happened when doge was on and he enumerated them in his declaration.
In order to access storage accounts, unknown users gave themselves a high-level access key, known as a SAS token, and then deleted it. Berulis said there was no way to track what they did with it.
Berulis said he noticed a task automation program downloaded to the system, which would allow engineers to run automated commands. There were several code libraries that got his attention — tools that he said appeared to be designed to automate and mask data exfiltration. There was a tool to generate a seemingly endless number of IP addresses called “requests-ip-rotator,” and a commonly used automation tool for web developers called “browserless” — both repositories starred or favorited by Wick, the DOGE engineer, according to an archive of his GitHub account reviewed by NPR.
Someone appeared to be doing something called a CNAME to prevent data exfiltration. He came to his conclusion after seeing a spike in traffic in the DNS and saw that the data had been exfoliated.
Someone will set up a domain name and then send questions or queries to the target system. The compromised server is configured to send packets of data, which the attacker can steal information from, if they choose.
Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data
DOGE should not have a password in the front door: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data,” said Berulis
The researcher said that they were given the keys to the front door. The researcher said it would be hard to verify what happened, but Berulis’ conclusions and evidence were a cause for concern. “None of this is standard,” they said.
Russ Handorf, who served in the FBI for 10 years in various cybersecurity roles, reviewed Berulis’ technical forensic records and analyzed them for his conclusions, and he spoke to NPR.
“All of this is alarming,” he said. “If this was a publicly traded company, I would have to report this [breach] to the Securities and Exchange Commission. The timeline of events shows the lack of respect for the institution and the sensitivity of the exfiltrated data. There is no reason to increase the security risk profile by disabling security controls and exposing them, less guarded, to the internet. They didn’t exercise the more prudent standard practice of copying the data to encrypted and local media for escort.”
It houses information about ongoing contested labor cases, lists of union activists, internal case notes, personal information from Social Security numbers to home addresses, proprietary corporate data and more information that never gets published openly.
Experts interviewed by NPR acknowledge that there are inefficiencies across government that warrant further review, but they say they don’t see a single legitimate reason that DOGE staffers would need to remove the data from the case management system to resolve those problems.
There is no reason to access this information. Is any agency more efficient? More effective? Positively. But what you need for that is people who understand what the agency does. That isn’t done by mining data and putting the software in that creates a security problem.
“There is nothing that I can see about what DOGE is doing that follows any of the standard procedures for how you do an audit that has integrity and that’s meaningful and will actually produce results that serve the normal auditing function, which is to look for fraud, waste and abuse,” said Sharon Block, the executive director of Harvard Law School’s Center for Labor and a Just Economy and a former NLRB board member.
The way that they’re doing things doesn’t correspond to the way they say they’re doing it.
Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data
No access to classified information from an employee’s union union: a challenge for the NLRB and the Senator Chris Murphy, D-Conn.
For labor law experts, the mere possibility that sensitive records were copied is a serious danger that could create a chilling effect for employees everywhere who turn to the National Labor Relations Board for protection.
“To say they have access to the data is intimidating and does not make sense,” said Kate, co-director of the Worker Empowerment Research Network. The reason people won’t testify is that their employer might get access.
She said she spends much of her time thinking about how systems can be messed with under the right circumstances. “You know, there’s this belief that we have these checks and balances … but anyone who’s part of the labor movement should know that’s not true,” she told NPR.
It would make it easier to fire employees for organizing a union if the company could access the data. People get fired for trying to organize a union all the time, said Block.
It’s not just employees who might suffer if this data got out. In the midst of unfair-labor-practice complaint proceedings, companies give detailed statements on internal business planning and corporate structure. The trade secrets that a company is accused of sharing might come up in the investigation of an unfair-labor-practice complaint. That information would be valuable to competitors, regulators and others.
The University of California, Berkeley, labor scholar, Harley Shaiken, said that it was very concerning. “It could result in damage to individual workers, to union-organizing campaigns and to unions themselves,” he said.
There are many cases against the companies controlled by Musk. After a group of former SpaceX employees lodged a complaint with the NLRB, lawyers representing SpaceX, some of whom were recently hired into government jobs, filed suit against the NLRB. They argued that the structure of the agency is unconstitutional.
During an interview with Fox News, Musk and Donald Trump said Musk would not be involved in anything related to his companies. Musk didn’t ask the president for anything. I’m getting a daily proctology exam here. I will not be getting away with something in the dead of night. However, DOGE has been granted high-level access to a lot of data that could benefit Musk, and there has been no evidence of a firewall preventing misuse of that data.
Sen. Chris Murphy, D-Conn. raised his concerns about Musk accessing sensitive labor investigation data on cases against his companies or competitors during the confirmation hearing for Trump’s labor secretary, Lori Chavez-DeRemer, in mid-February. He pressed her to answer whether she believed the NLRB is constitutional and to commit to keeping sensitive data confidential. She insisted that Trump has the executive power to do what he sees fit and that she was committed to privacy.
The National Labor Relations Board was created “to make sure workers’ rights are protected in the workplace,” said Shaiken. Under President Joe Biden, he recalled, the labor movement enjoyed an unusual amount of support from Washington. “But what we have seen is a sharp slamming of the brakes to that and putting the vehicle in reverse in terms of what Trump has done so far,” he continued.
The board’s authority to enforce labor laws was undermined by the removal of Gwynne Wilcox and the sending of DOGE to it. Courts have gone back and forth on whether Wilcox’s removal was illegal, as presidents are meant to demonstrate cause for dismissal of independent board members.
Towards Protecting Corporate Information from Foreign Attacks: A Commentary on DOGE, the FBI Cyber Official and the Principle of Least Privilege
“He is getting information that a random person should not have access to,” said Harvard Law Block. If the government gets everything, he has more information about the cases they are building against him.
“DOGE is, whether they admit it or not, headed by somebody who is the subject of active investigation and prosecution of cases. She said it was “very troubling.”
Musk’s company xAI could also benefit from sucking up all the data DOGE has collected to train its algorithms. Cybersecurity experts like Bruce Schneier, a well-known cryptographer and adjunct lecturer at the Harvard Kennedy School, have pointed to this concern at length in interviews and written pieces.
According to two federal government sources who were not authorized to speak publicly about their workplaces and who shared email documentation with NPR, managers have consistently been warning employees that their data could be subject to AI review, particularly their email responses to the Musk-led campaign to get federal employees to detail “what they did last week” in five bullet points every Monday.
“It’s not a chance of imagination to see some DOGE staffers release some of their data to Musk or people close to him,” said Shaiken.
Handorf, the former FBI cyber official, said “both criminals and foreign adversaries used information like this to enrich themselves through a variety of actions.” “There are measures to protectintellectual property theft for espionage, or even harming a company to enrich another.”
Several failed login attempts are not a big deal according to the experts interviewed by NPR. But given the overall picture of activity, it’s a concerning sign that foreign adversaries may already be searching for ways into government systems that DOGE engineers may have left exposed.
“When you move fast and break stuff, you can ride the coattails of authorized access, which is easy to achieve,” said Handorf. It would be easy for spies or criminals to break in and steal the data behind DOGE if the access points were left open.
The principle of least privilege is one of the best practices used to architect systems, according to the former director of Technology Transformation Services at the General Services Administration. The principle of least privilege states that users have to have minimum rights, roles and permissions in order to perform their roles. Unauthorized access, accidental damage from user errors and malicious actions can be prevented with this protection.
In one case the judge blocked access to the Treasury Department’s payment systems because it could have violated federal law.
The government’s Cybersecurity and Infrastructure Security Agency has already been forced to relocate or put on administrative leave several times, in addition to the resignations and dismissals of other officials. That has limited their power to respond to the ongoing disruptions or keep track of what DOGE is doing.
Erie Meyer, who was the technology officer at the Consumer Financial Protection Bureau, resigned from his position in February after speaking out about the access DOGE had to sensitive data. She has provided testimony in ongoing court cases surrounding DOGE’s access and also spoke to NPR in an interview. sensitive and market moving data are contained in the bureau of consumer protection. Meyer said DOGE employees granted themselves “God-tier” access to the CFPB’s systems, turned off auditing and event logs and put the cybersecurity experts responsible for insider threat detection on administrative leave. She said that when the experts at the Consumer Financial Protection Bureau planned to conduct a “after action” report, they were stonewalled.
When she heard about how DOGE engineers operated at the NLRB, particularly the steps they took to obfuscate their activities, she recognized a pattern.
She said she was trembling after hearing that data from the National Labor Relations Board could be exposed. “They can get every piece of whistleblower testimony, every report, everything. This is not good.
“Our cyber teams are pissed because they have to sit on their hands when every single alarm system we have regarding insider threats is going off,” said one employee at an agency of the Interior Department who requested anonymity, fearing retribution. Cybersecurity teams wanted to shut off new users’ access to the system, the employee continued, but were ordered to stand down.
In a letter to the Federal News Network, 46 former officials from the General Services Administration, one of the government agencies hardest hit by DOGE’s cost cutting efforts and that oversees nearly all federal buildings and purchasing, wrote that they believed highly-sensitive IT.
The Trump administration may be trying to codify practices of DOGE into how the government gives information, according to the executive director of National Security Counselors, a nonprofit public interest law firm.
The Privacy Act is because Congress realized 50 years ago the federal government was so overrun with information about normal people they needed some protections in place. He explained that the information silos were there for a reason. “It’s astonishing to me that the very people who not a handful of years ago were screaming about the government tracking us with vaccines now cheer for feeding every piece of information about themselves into Elon Musk’s stupid Skynet.”
“This shocks the conscience,” said Richard Griffin, the former general counsel of the NLRB. “And if DOGE operatives captured and removed case files, it could constitute a violation of the Privacy Act.”
It was important for Berulis to tell the truth because he believes that people deserve to know how the government’s data and computer systems are protected. Berulis was an IT consultant and he said he would have been fired for operating like DOGE.
“I believe that it goes beyond case data, and I am convinced that’s what this is,” he said. “I know there are [people] at other agencies who have seen similar behavior. I firmly believe that this is happening maybe even to a greater extent at other agencies.”
“It was my goal by disclosing to Congress not to focus on me at all, but to give them information that they might not necessarily have, the things that you don’t necessarily look for unless you know where to look,” he continued.
Berulis’ Theorem: Detecting Breaking a Security Strategy in a Uniform State-Defined Attack on Mobile Devices
Berulis had a simple request for the DOGE engineers: “Be transparent. You don’t need to hide if you have nothing to hide. Being open is how efficiency is really about. If it is a huge misunderstanding, then prove it. Put it out there. That’s all I’m asking.
This could be the start of an operation. They still haven’t crossed that boundary where they’re plugged into every federal system out there,” he continued. Maybe there is some time left.
According to the disclosure, someone had disabled controls that would prevent insecure or unauthorized mobile devices from logging on to the system without the proper security settings. There was an interface exposed to the public internet, potentially allowing malicious actors access to their systems. Automatic turning off of internal alert and monitoring systems was found. It was not possible to have multifactor logins.
It would be easier if there was a list of key organizers and potential members of a union, as well as copies of the opposing counsel’s notes.