• Pascal's Chatbot Q&As
  • Posts
  • Claude: Based on the documents provided, I'll analyze the whistleblower's claims regarding DOGE activities at the National Labor Relations Board (NLRB) and potential connections to Russia.

Claude: Based on the documents provided, I'll analyze the whistleblower's claims regarding DOGE activities at the National Labor Relations Board (NLRB) and potential connections to Russia.

"From our understanding, Russia has a direct pipeline through Starlink, which means everything going through Starlink is going to Russia" (from Berulis' attorney in CNN interview)

Author

Pascal Hetzscholdt
April 16, 2025


DOGE Data Breach Analysis: Whistleblower Claims and Russian Connection

Based on the documents provided, I'll analyze the whistleblower's claims regarding DOGE activities at the National Labor Relations Board (NLRB) and potential connections to Russia.

A) Timeline of Events According to Whistleblower Daniel Berulis

Preparation Phase (Late February 2025)

  • NLRB staff were instructed to be physically present in the office for DOGE's arrival

  • DOGE engineers requested information about NLRB's software, hardware, and data storage systems

DOGE Access Period (Early March 2025)

  • March 3: DOGE team arrived at NLRB with black SUV and police escort

  • NLRB staff were instructed not to follow standard operating procedures for account creation

  • DOGE officials demanded "tenant owner" level access accounts (highest level privileges)

  • Staff were told to "stay out of DOGE's way" and not resist any access requests

Suspicious Activities Observed

  • March 4-6: Berulis discovered anomalous "container" records and expired storage tokens

  • Security monitoring systems were switched off

  • Multi-factor authentication was disabled

  • Network watcher in Azure was turned off, preventing data collection

  • Conditional access policies were changed without documentation or approvals

  • Controls preventing unauthorized mobile devices from logging in were disabled

Data Exfiltration

  • Berulis observed approximately 10GB of data leaving the NxGen case management system

  • Large spike in outbound network traffic without corresponding inbound traffic

  • Abnormal DNS requests increased by "an order of magnitude"

  • Data likely included sensitive information on unions, ongoing legal cases, and corporate secrets

Russian Connection

  • Within minutes (15 minutes) after DOGE created accounts, a user with a Russian IP address attempted to log in

  • The Russian user had the correct username and password for the DOGE accounts

  • Over 20 login attempts from Russia were blocked only because of a no-foreign-logins policy

  • These attempts came from Primorskiy Krai, Russia

Aftermath and Obstruction

  • NLRB IT team launched a formal security breach investigation

  • Between April 3-4, NLRB leadership instructed Berulis to "drop the US-CERT reporting and investigation"

  • On April 7, Berulis received a threatening note at his home with drone photos of him walking in his neighborhood

  • The note specifically referenced his whistleblower disclosure that was being prepared

B) Surprising, Controversial, and Valuable Statements in the Complaint

Surprising Statements

  1. "Within minutes of DOGE personnel creating user accounts in NLRB systems, on multiple occasions someone or something within Russia attempted to login using all of the valid credentials"

  2. "This token was odd and stood out to us because it was configured to expire quickly after creation and use, making it harder to gain insight into what it was used for during its lifetime"

  3. "There were more than 20 such attempts [from Russia], and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers"

  4. DOGE engineers downloaded tools including one "to utilize AWS API Gateway's large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing"

Controversial Statements

  1. "From our understanding, Russia has a direct pipeline through Starlink, which means everything going through Starlink is going to Russia" (from Berulis' attorney in CNN interview)

  2. "We as an agency have not evolved to account for [insider threats]. We were looking for [bad actors] outside"

  3. "I firmly believe that this is happening maybe even to a greater extent at other agencies"

  4. "NLRB said it would cooperate with any investigations that stem from Berulis' disclosure to Congress" despite denying that DOGE ever had access to its systems

Valuable Statements for Investigation

  1. "Although they may have had new accounts created, then deleted after, our latest SCuBA using CISA's tool showed 2 extra high level permission accounts that we did not know the origin of"

  2. "In the same time window unknown (or deleted) accounts created access keys for resources in the subscriptions under the tenant"

  3. "I believe with all my heart that this goes far beyond just case data. I know there are [people] at other agencies who have seen similar behavior"

  4. "I saw five PowerShell downloads on the system... libraries that... appeared to be designed to automate and mask data exfiltration"

C) Potential Connections Between DOGE and Russia

Direct Evidence

  1. Rapid Login Attempts: Russian IP addresses attempted to access NLRB systems within 15 minutes of DOGE creating new accounts

  2. Valid Credentials: The Russian login attempts had correct usernames and passwords, suggesting a direct leak of credentials

  3. Timing Correlation: The login attempts coincided precisely with DOGE's activities at NLRB

Indirect Connections

  1. Starlink Claim: Berulis' attorney claimed "Russia has a direct pipeline through Starlink," suggesting DOGE's use of Starlink satellite connections may have exposed data

  2. Obfuscation Techniques: DOGE's methods matched those used by foreign hackers according to experts quoted in the articles

  3. Evasive Behavior: Disabling security monitoring, logging, and multi-factor authentication mirrors tactics of Russian threat actors according to a quoted threat intelligence researcher

Speculative Reasons for Potential Russia Connection

  1. Data Harvesting: Russian intelligence may be interested in sensitive labor relations data for economic intelligence

  2. Compromised Personnel: DOGE staff may have been compromised or may include individuals with Russian connections

  3. Third-Party Data Sharing: Data may be transferred to third parties who then share with Russian entities

  4. Targeting Vulnerabilities: Russia may be opportunistically exploiting the security holes created by DOGE

  5. Technical Infrastructure: The use of tools that generate "pseudo-infinite IPs" could be used to mask connections to Russian servers

D) Risks Associated with This Situation if Claims Are True

National Security Risks

  1. Foreign Intelligence Access: Sensitive government information potentially accessible to foreign adversaries

  2. Compromised Systems: DOGE may have created persistent backdoors in federal systems

  3. Cascading Access: Initial breaches could spread to other connected government systems

  4. Intelligence Gathering: Foreign entities could use the data to identify US vulnerabilities

  1. Privacy Act Violations: Unlawful disclosure of protected personal information

  2. FISMA Violations: Clear breaches of Federal Information Security Modernization Act requirements

  3. Whistleblower Intimidation: Physical threats against a federal whistleblower

  4. Legal Liability: Potential lawsuits from individuals whose data was compromised

Labor Relations Risks

  1. Chilling Effect: Workers may fear filing complaints with NLRB if they believe data isn't secure

  2. Exposure of Union Activities: Sensitive information about union organizing could be used against workers

  3. Case Compromise: Ongoing legal cases could be compromised if confidential information was leaked

  4. Trust Erosion: Public trust in NLRB as an independent arbiter could be damaged

Corporate and Economic Risks

  1. Trade Secrets Exposed: Proprietary business information from labor cases could be compromised

  2. Competitive Intelligence: Companies with cases before NLRB could have sensitive information exposed to competitors

  3. Market Manipulation: If information leaked includes market-sensitive data, it could be used for economic advantage

  4. Conflict of Interest: Musk companies (SpaceX, Tesla) have active cases before NLRB, creating significant conflicts

Institutional Risks

  1. Loss of Institutional Independence: DOGE's access to independent agencies threatens separation of powers

  2. Undermining Federal Workforce: The intimidation and targeting of civil servants threatens government functionality

  3. Erosion of Data Integrity: Federal data systems may no longer be trusted as accurate or secure

  4. Precedent Setting: Similar breaches could occur across other agencies if not addressed

Bibliography

  1. NBC News. "Federal employee alleges DOGE activity resulted in data breach at labor board." https://www.nbcnews.com/tech/security/federal-employee-alleges-doge-activity-resulted-data-breach-labor-boar-rcna201425

  2. NPR. "Whistleblower details how DOGE may have taken sensitive NLRB data." https://www.npr.org/2025/04/15/nx-s1-5355896/doge-nlrb-elon-musk-spacex-security

  3. Nextgov/FCW. "User with Russian IP address tried to log into NLRB systems following DOGE access, whistleblower says." https://www.nextgov.com/cybersecurity/2025/04/user-russian-ip-address-tried-log-nlrb-systems-following-doge-access-whistleblower-says/404574/

  4. Alternet. "'Really disturbing': DOGE whistleblower describes ominous threat he received at his home." https://www.alternet.org/disturbing-doge-whistleblower-threatened/

  5. Whistleblower Aid. "Protected Whistleblower Disclosure - April 14, 2025." From Daniel J. Berulis to Senate Committee on Health, Education, Labor and Pensions and House Committee on Oversight and Government Reform.

·

17 FEB

The Shadow War: How Global Capitalism Conquered Cold War Idealism