NLRB DOGE Whistleblower Incident: Malice? Incompetence? Both?

            Hey, reader! You are receiving this email as part of your subscription to the Post Notifications list in your membership. You can opt out of that here.
          

NLRB DOGE Whistleblower Incident: Malice? Incompetence? Both?

screenshot from a security dashboard showing that there was a data exfiltration event

            Author: Mark Bruno

            Earlier this week, whistleblower Daniel J. Berulis, a federal DevSecOps architect consulting at the National Labor Relations Board (NLRB), filed explosive disclosures with Congress and the U.S. Office of Special Counsel. Backed by Whistleblower Aid and Compass Rose Legal Group, Berulis alleges severe cybersecurity failures and possible foreign exfiltration linked to the Department of Government Efficiency.

            He's also had to deal with explicit acts of intimidation in the time since.

            Throughout this piece, we'll go through some of his claims, engage in some good-faith criticism, and hopefully demonstrate that this situation should act as a troubling temperature reading of the IT and cybersecurity environment that federal employees and contractors find themselves in.

            An aside, for those who don't know, the NLRB is an independent U.S. government agency responsible for enforcing labor laws related to collective bargaining and unfair labor practices. It plays a central role in overseeing union elections and investigating disputes between employers, employees, and unions. While an independent entity, the NLRB is largely shaped by whoever the current President is through appointments and executive policies.

Who is Daniel Berulis?

            Daniel J. Berulis is an IT professional with nearly two decades of experience. He's consulted in several positions for both Amazon and Google, as well as other roles related to National Security infrastructure. He's held (and presumably still does) a Top Secret/SCI clearance. Now, as a DevSecOps architect at the NLRB, he’s sounding the alarm on what he claims is an unprecedented breach.
          

            At the time of his disclosure on April 14th, Berulis was working at the National Labor Relations Board, where he oversees cybersecurity systems and practices. His background includes expertise in AWS and Azure architecture, infrastructure, security, and automation. The type of consulting work he conducts would appear to largely revolve around modernizing corporate systems and cloud environments.

            His disclosures allege that the now-infamous Department of Government Efficiency, or DOGE, gained highly privileged and unmonitored access to the NLRB’s internal systems in March of 2025, and that this access may have been exploited by foreign threat actors.

What Happened?

            Berulis' disclosures were filed with multiple congressional committees and the U.S. Office of Special Counsel. They describe a deeply alarming chain of events involving potential insider-enabled cyber intrusions, foreign access to government systems, and even physical threats made against Mr. Berulis, himself.

            Most of the claims here are outlined in the disclosures. Additional ones from Berulis and his lawyers' press appearances are outlined later in this article.

            The chain of events began in late February 2025, when Berulis and his colleagues were told by their supervisors that DOGE engineers would be visiting the NLRB. They were ordered to provide DOGE staff with high-level administrative access — specifically, “Tenant Owner” level accounts in Azure, Microsoft's cloud platform.

            Tenant owner access is among the highest possible levels of administrative privilege. These privileges represent the entire organization's identity directory. That includes sensitive databases, identity and access management, security policies, billing, logs, and audit records. For some perspective: these permissions are so powerful that best practices from Microsoft and the U.S. government specifically warn against granting them to auditors or temporary staff, which describes the DOGE employees in this situation. What was allegedly done here at the NLRB for DOGE is a violation of the principle of Least Privilege.

            Under guidelines from NIST, Microsoft, and CISA clearly state that privileged access should be temporary, auditable, and tightly controlled. Without logs, no one can determine who accessed what, when, or why, which is a worst-case scenario in any security environment. It's also a clear violation of FISMA compliance, which is illegal.

            Despite this, Berulis says that the DOGE personnel were granted this level of access. His team was explicitly told not to log or document the creation of these accounts.

            Granting DOGE personnel unrestricted, tenant-level access was already a significant security risk. But instructing staff not to log or document the creation of those accounts — in direct violation of federal cybersecurity standards — stripped the system of accountability and traceability.

Anomalies and Red Flags

            Within fifteen minutes of these new DOGE accounts being created, Berulis alleges that there were around twenty attempts to log into them, detected from Russia — specifically, from Primorsky Krai, a region bordering China.

            These attempts were blocked only because of a geographic restriction policy, but the system logs showed that the correct usernames and passwords were being used, meaning that whatever entity this was, they knew the credentials of the newly created, allegedly un-traced DOGE accounts.
          

                  "Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating."
- Daniel J. Berulis
                  

            While that sounds pretty damning, it’s more likely that the login attempts were from threat actors unrelated to DOGE. Credential stuffing attacks, where automated bots try known username-password combinations across multiple services, are common and often originate from overseas. If the DOGE accounts used predictable naming conventions (and most U.S. Government conventions are well-known) or weak credentials, they could have been targeted simply because they existed, not because they were specifically compromised or leaked.

            I tend to think that the login attempts, should they be credible, had to be from vigilant, but unprofessional threat actors. Obfuscating geolocation should be second nature to any skilled attacker. If the login attempts from Russia were truly random, it raises another concern: why were the correct passwords guessable in the first place? Successful username/password matches within minutes of account creation could indicate poor password hygiene, weak default credentials, or that the credentials were reused, or exposed during setup.

            All of these represent serious security failures in a high-privilege environment, and another potential FISMA violation. 
          

            Between March 3rd and March 10th, Berulis and his team noticed massive outbound data spikes, some traced back to NLRB’s core database system, NxGen — which stores case files, union information, and confidential corporate data. Berulis estimated that at least 10 gigabytes of data were exfiltrated. If compressed, it could have been much more.

            He alleges that the team found hidden resources and evidence of deleted logs. This included containerized apps, expired storage tokens, and missing Azure logs. According to the statement, even Microsoft’s internal monitoring tools couldn’t track some of these activities. While on their own, they don't have to be a smoking gun, these tools can be used to quietly run programs or access data without leaving a clear trace. When logs are missing or deliberately erased, it becomes nearly impossible to know what was done or who was responsible.

            They found evidence that external GitHub libraries had been downloaded that included tools used for web scraping, IP rotation, and headless browsing, which are all associated with espionage, automation, or exfiltration scripts.

            While these tools can be used for malicious purposes, the mere act of downloading them doesn’t prove intent. Their use should raise concern, especially in a secure government environment, but without logs, it’s impossible to say what was executed.
          

            Multi-factor authentication was disabled on some systems. Conditional access policies were mysteriously altered. Network logging was turned off. Effectively, any ability for a security professional to monitor the DOGE team's activity was removed.

            Cloud billing data showed spikes in usage without any corresponding resources appearing on standard dashboards. The suggestion here is that the DOGE team may have used hidden or temporary resources that had already been deleted.

            Each of these indicators on their own might be explained by benign configuration errors, or internal inefficiencies. However, taken together, and when paired with the disappearance of logs and the lack of proper account tracking, they form a troubling pattern.

            There's an argument that some of Berulis' claims rest on circumstantial or observational evidence, rather than forensic proof, and that common DevOps tools and behavior have been framed in an unusually suspicious light. Still, the core issue seems to be that the NLRB was operating blind, either by design or by neglect.

            In his interview appearances, Berulis insists that he's attempted to prove the negatives multiple times, but that the situation doesn't look good.
          

                  "I believe if that was true, we would have access to the code they were running. We would be able to see these things they were hiding, and that's all that I'm asking for, here."
- Daniel J. Berulis to CNN
                  

Attempts to Investigate

            Berulis and his team flagged these anomalies internally. Initially, his supervisor, Prem Aburvasamy, was supportive. They created a working group, and considered escalating to US-CERT, the Cybersecurity and Infrastructure Security Agency’s emergency response team. It should be noted that CISA, itself, has become a target of massive cuts by the Trump administration, and its former chief, Chris Krebs, was recently targeted as an ideological enemy by Trump.

            Between April 3rd and 4th, Berulis says they were explicitly told not to move forward with the report. The order to stand down could be seen as valid, as the DOGE team, after all, was allowed to be there. It isn't out of the question that US-CERT might not have considered the incident a breach, but the constellation of observations makes the decision highly suspect.

Intimidation

            On April 7th, while Berulis and his legal team were preparing the disclosure, someone taped a threatening note to his front door, along with drone photographs of him walking his dog near an address he'd only resided at for two months.

            The note referenced the specific disclosure that he was in the middle of drafting at the time, implying that the threat came from someone with inside knowledge of his whistleblower activity. His legal team immediately flagged this as a potential violation of multiple federal statutes, including witness intimidation, obstruction of oversight, and retaliation against a whistleblower.

            If these allegations hold, this could be one of the most serious breaches of labor-related government data in U.S. history, coupled with potentially criminal obstruction of reporting mechanisms. But, there are more even more allegations against the DOGE team that weren't outlined in the disclosure documents.

Additional Claims

            In the past several days, Berulis and his lawyers have made the rounds, doing several high-profile media interviews. The disclosure documents on their faces are quite strong, and point to, at the very least, negligence and a lack of transparency by the DOGE staff.

            However, in these interviews, Berulis and his lawyers make additional condemning statements about DOGE that suggest more to the story than we've seen in the documents.

            I want to point out that the following allegations were made either by or in the presence of Daniel Berulis' attorney, Andrew Bekaj, of Whistleblower Aid. Whistleblower Aid is an organization that I have little reason to be unsupportive of, and Bekaj is an experienced legal representative with a laudable agenda. If there was significant fear of any legal pushback for what's stated, I would assume that these allegations are all well-considered and ready to be defended, but it would be irresponsible not to point out their potential inaccuracies.

            One of the most significant claims is an assertion that backdoors were being put into government systems so that classified data could be passed through Starlink networks. While it absolutely wouldn't surprise me, there is an assumption in here that anything DOGE touches inevitably brings Starlink into the equation, and that this is a bad thing.

            In interviews on PBS, CNN, and MSNBC, Bekaj takes this to the next level, and reiterates claims that information flowing through Starlink goes directly to Russia.

            Needless to say, that is a huge accusation. Bekaj attributes the Department of Defense stopping the use of Starlink to this reason.
          

            An additional claim made in these interviews, is that critical infrastructure and databases in other government agencies, such as the Department of Energy, have been exposed to the open internet. Bekaj mentions this broader concern in the MSNBC and CNN interviews. It nods towards greater fears of IC and cybersecurity professions that there is a government-wide breakdown in information assurance best practices.

            The assertion that all DOGE operations route through Starlink is blurry, as far as definitive public evidence goes. It is highly possible, as Elon Musk has signaled a desire to build a centralized database for DOGE that would break numerous data security laws. There have been incidents, such as a notable one at the General Services Administration, where Starlink seemed to be installed with little oversight.

            There are also documented instances of Starlink's presence being welcomed in some federal settings, such as the White House. These uses have also attracted criticism. But there is no comprehensive proof confirming that DOGE universally employs Starlink for its activities.

            I also have to say that the claim that Starlink data is routed through Russia lacks substantiated evidence. It's a bit of a mixed bag that deserves clarification:

            There have been allegations and concerns regarding the misuse of Starlink terminals by Russian forces for guiding drones and other operations. Claims by Ukrainian Military Intelligence, who are definitely justified in their suspicions of the infrastructure, seem to largely support the idea that if this is happening, it isn't by design. Their findings, if credible, show that Russia was trying to get ahold of the technology through a Middle-Eastern intermediary country. As of February of this year, entities in Starlink seem to be working on how to kick potential Russian users out of the network, with assistance from Ukraine and the Pentagon.

            No credible sources confirm that Starlink's data traffic is intentionally or routinely routed through Russian infrastructure. Their network architecture is designed to transport data through its constellation of satellites, to ground stations located in authorized countries. Russia is not included in these. The system employs encryption and geofencing to prevent unauthorized access and usage, though Starlink does admit that blocking illicit use is a challenge.​

            With the right tinkering, it's possible that Russian threat actors may have found a way to illegitimately route such data, but the idea that they'd do so without adequately covering their tracks is a bit laughable.

            I do agree that reliance on Starlink seems ill-advised. I have numerous complaints about it, but I'm pointing these specific arguments out to offer some context as one might connect the dots that Bekaj lays down in his public statements.
          

                  "...Last year the Department of Defense had stopped using Starlink in any way shape or form, because that  is viewed as a direct pipeline."
- Whistleblower Aid Chief Legal Council, Andrew Bekaj, to MSNBC
                  

            Stating that the Department of Defense isn't using Starlink anymore is also misleading. Giving grace to the fact that this was an offhand comment, the statement on its face is incorrect. There have been times that the DoD and the Navy have considered it inappropriate for transmitting classified data, but defense spending on Starlink remains in the hundreds of millions. Senior officials have expressed explicit concerns over its continued use, but the relationship has been maintained, and seems to still be growing.

            As far as DOGE exposing classified or sensitive data to the public, this is well-documented and clearly been done through pure negligence.

Why Cry "Russia", When Greed And Stupidity Will Do?

            Soapbox time.

            All of that said, I still broadly agree with the efforts of Berulis and his legal team. The onslaught of attacks on the cybersecurity apparatus of the U.S. Government since January, and by DOGE in particular, are impossible to ignore (as are many of their other transgressions). Starlink and DOGE are clearly doing things in ways that shouldn't be allowed to stand. Even if Berulis' disclosure was based on nothing, the threats alone are indicative of a feared sycophantic culture change within the U.S. government that values loyalty over expertise or procedure.

            Elon Musk's leadership of DOGE is a blatant conflict of interest. Nevermind Starlink, SpaceX, and traditional conflicts regarding his status as a government contractor. There is a pattern with a number of federal entities that have faced the kind of treatment Berulis describes, under DOGE.

            In fact, Jeff Bezos, as well as Musk, are actively trying to dismantle the NLRB. Both have faced multiple labor-related complaints and investigations by the board. DOGE has intervened in other agencies regulating Musk's businesses, including Tesla and SpaceX. I think it's clear at this point that Musk is attempting to undermine regulatory actions against his enterprises.

            I believe this story isn’t just about one whistleblower or one incident. It’s about the growing fragility of oversight and accountability in an environment where cybersecurity expertise is treated as an obstacle rather than a necessary tool for protecting Americans' private data. Whether or not every technical allegation in the disclosures holds up under forensic scrutiny, the trajectory of the federal government that Berulis points to is alarming enough. It's damning how believable the whole incident is.

            What I worry about is that so many people get tied up in the foreign interference angle of what's going on here, "crying 'Russia'", when it seems obvious to me that what's happening is, more likely, a combination of greed and stupidity. The real nature of "moving fast and breaking things" when the "thing" being broken is the government of the most powerful nation in history. When the "moving fast" is "running from the regulators".

            Privacy and cybersecurity aren't optional hurdles for oligarchs trying to line their pockets. They should be a right afforded to everyone as much as their physical security and freedom of speech.

            If there's a silver lining, it at least seems like they're committed to hiring complete clowns. 
          

            Categories: Infosec, News

            Read on the Website
          

            Stay safe, and always remember:🦉Hail Moloch!🐂
          

Unsubscribe | Manage your subscription