A security architect with the National Labor Relations Board<\/strong> (NLRB) alleges that employees from Elon Musk<\/strong>\u2018s Department of Government Efficiency<\/strong> (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity. The NLRB whistleblower said the unusual large data outflows coincided with multiple blocked login attempts from an Internet address in Russia that tried to use valid credentials for a newly-created DOGE user account.<\/p>\n The cover letter from Berulis\u2019s whistleblower statement, sent to the leaders of the Senate Select Committee on Intelligence.<\/p>\n<\/div>\n The allegations came in an April 14 letter to the Senate Select Committee on Intelligence, signed by Daniel J. Berulis<\/strong>, a 38-year-old security architect at the NLRB.<\/p>\n NPR<\/strong>, which was the first to report<\/a> on Berulis\u2019s whistleblower complaint, says NLRB is a small, independent federal agency that investigates and adjudicates complaints about unfair labor practices, and stores \u201creams of potentially sensitive data, from confidential information about employees who want to form unions to proprietary business information.\u201d<\/p>\n The complaint documents a one-month period beginning March 3, during which DOGE officials reportedly demanded the creation of all-powerful \u201ctenant admin\u201d accounts in NLRB systems that were to be exempted from network logging activity that would otherwise keep a detailed record of all actions taken by those accounts.<\/p>\n Berulis said the new DOGE accounts had unrestricted permission to read, copy, and alter information contained in NLRB databases. The new accounts also could restrict log visibility, delay retention, route logs elsewhere, or even remove them entirely \u2014 top-tier user privileges that neither Berulis nor his boss possessed.<\/p>\n Berulis writes that on March 3, a black SUV accompanied by a police escort arrived at his building \u2014 the NLRB headquarters in Southeast Washington, D.C. The DOGE staffers did not speak with Berulis or anyone else in NLRB\u2019s IT staff, but instead met with the agency leadership.<\/p>\n \u201cOur acting chief information officer told us not to adhere to standard operating procedure with the DOGE account creation, and there was to be no logs or records made of the accounts created for DOGE employees, who required the highest level of access,\u201d Berulis wrote of their instructions after that meeting.<\/p>\n \u201cWe have built in roles that auditors can use and have used extensively in the past but would not give the ability to make changes or access subsystems without approval,\u201d he continued. \u201cThe suggestion that they use these accounts was not open to discussion.\u201d<\/p>\n Berulis found that on March 3 one of the DOGE accounts created an opaque, virtual environment known as a \u201ccontainer,\u201d which can be used to build and run programs or scripts without revealing its activities to the rest of the world. Berulis said the container caught his attention because he polled his colleagues and found none of them had ever used containers within the NLRB network.<\/p>\n Berulis said he also noticed that early the next morning \u2014 between approximately 3 a.m. and 4 a.m. EST on Tuesday, March 4\u00a0 \u2014 there was a large increase in outgoing traffic from the agency. He said it took several days of investigating with his colleagues to determine that one of the new accounts had transferred approximately 10 gigabytes worth of data from the NLRB\u2019s NxGen<\/strong> case management system.<\/p>\n Berulis said neither he nor his co-workers had the necessary network access rights to review which files were touched or transferred \u2014 or even where they went. But his complaint notes the NxGen database contains sensitive information on unions, ongoing legal cases, and corporate secrets.<\/p>\n \u201cI also don\u2019t know if the data was only 10gb in total or whether or not they were consolidated and compressed prior,\u201d Berulis told the senators. \u201cThis opens up the possibility that even more data was exfiltrated. Regardless, that kind of spike is extremely unusual because data almost never directly leaves NLRB\u2019s databases.\u201d<\/p>\n Berulis said he and his colleagues grew even more alarmed when they noticed nearly two dozen login attempts from a Russian Internet address (83.149.30,186) that presented valid login credentials for a DOGE employee account \u2014 one that had been created just minutes earlier. Berulis said those attempts were all blocked thanks to rules in place that prohibit logins from non-U.S. locations.<\/p>\n \u201cWhoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating,\u201d Berulis wrote. \u201cThere were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers.\u201d<\/p>\n According to Berulis, the naming structure of one Microsoft user account connected to the suspicious activity suggested it had been created and later deleted for DOGE use in the NLRB\u2019s cloud systems: \u201cDogeSA_2d5c3e0446f9@nlrb.microsoft.com<\/strong>.\u201d He also found other new Microsoft cloud administrator accounts with nonstandard usernames, including \u201cWhitesox, Chicago M.<\/strong>\u201d and \u201cDancehall, Jamaica R<\/strong>.\u201d<\/p>\n A screenshot shared by Berulis showing the suspicious user accounts.<\/p>\n<\/div>\n On March 5, Berulis documented that a large section of logs for recently created network resources were missing, and a network watcher in Microsoft Azure<\/strong> was set to the \u201coff\u201d state, meaning it was no longer collecting and recording data like it should have.<\/p>\n Berulis said he discovered someone had downloaded three external code libraries from GitHub<\/strong> that neither NLRB nor its contractors ever use. A \u201creadme\u201d file in one of the code bundles explained it was created to rotate connections through a large pool of cloud Internet addresses that serve \u201cas a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.\u201d Brute force attacks involve automated login attempts that try many credential combinations in rapid sequence.<\/p>\n The complaint alleges that by March 17 it became clear the NLRB no longer had the resources or network access needed to fully investigate the odd activity from the DOGE accounts, and that on March 24, the agency\u2019s associate chief information officer had agreed the matter should be reported to US-CERT<\/strong>. Operated by the Department of Homeland Security\u2019s Cybersecurity and Infrastructure Security Agency<\/strong> (CISA), US-CERT provides on-site cyber incident response capabilities to federal and state agencies.<\/p>\n But Berulis said that between April 3 and 4, he and the associate CIO were informed that \u201cinstructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report.\u201d Berulis said it was at this point he decided to go public with his findings.<\/span><\/p>\n An email from Daniel Berulis to his colleagues dated March 28, referencing the unexplained traffic spike earlier in the month and the unauthorized changing of security controls for user accounts.<\/p>\n<\/div>\n Tim Bearese<\/strong>, the NLRB\u2019s acting press secretary, told NPR that DOGE neither requested nor received access to its systems, and that \u201cthe agency conducted an investigation after Berulis raised his concerns but \u2018determined that no breach of agency systems occurred.’\u201d The NLRB did not respond to questions from KrebsOnSecurity.<\/p>\n Nevertheless, Berulis has shared a number of supporting screenshots showing agency email discussions about the unexplained account activity attributed to the DOGE accounts, as well as NLRB security alerts from Microsoft about network anomalies observed during the timeframes described.<\/p>\n As CNN<\/strong> reported<\/a> last month, the NLRB has been effectively hobbled since President Trump<\/strong> fired three board members, leaving the agency without the quorum it needs to function.<\/p>\n \u201cDespite its limitations, the agency had become a thorn in the side of some of the richest and most powerful people in the nation \u2014 notably Elon Musk, Trump\u2019s key supporter both financially and arguably politically,\u201d CNN wrote.<\/p>\n Both Amazon<\/strong> and Musk\u2019s SpaceX<\/strong> have been suing<\/a> the NLRB over complaints the agency filed in disputes about workers\u2019 rights and union organizing, arguing that the NLRB\u2019s very existence is unconstitutional. On March 5, a U.S. appeals court unanimously rejected<\/a> Musk\u2019s claim that the NLRB\u2019s structure somehow violates the Constitution.<\/p>\n Berulis shared screenshots with KrebsOnSecurity showing that on the day the NPR published its story about his claims (April 14), the deputy CIO at NLRB sent an email stating that administrative control had been removed from all employee accounts. Meaning, suddenly none of the IT employees at the agency could do their jobs properly anymore, Berulis said.<\/p>\n An email from the NLRB\u2019s associate chief information officer Eric Marks, notifying employees they will lose security administrator privileges.<\/p>\n<\/div>\n Berulis shared a screenshot of an agency-wide email dated April 16 from NLRB director Lasharn Hamilton<\/strong>\u00a0saying DOGE officials had requested a meeting, and reiterating claims that the agency had no prior \u201cofficial\u201d contact with any DOGE personnel. The message informed NLRB employees that two DOGE representatives would be detailed to the agency part-time for several months.<\/p>\n An email from the NLRB Director Lasharn Hamilton on April 16, stating that the agency previously had no contact with DOGE personnel.<\/p>\n<\/div>\n Berulis told KrebsOnSecurity he was in the process of filing a support ticket with Microsoft to request more information about the DOGE accounts when his network administrator access was restricted. Now, he\u2019s hoping lawmakers will ask Microsoft to provide more information about what really happened with the accounts.<\/p>\n \u201cThat would give us way more insight,\u201d he said. \u201cMicrosoft has to be able to see the picture better than we can. That\u2019s my goal, anyway.\u201d<\/p>\n Berulis\u2019s attorney told lawmakers that on April 7, while his client and legal team were preparing the whistleblower complaint, someone physically taped a threatening note to Mr. Berulis\u2019s home door with photographs \u2014 taken via drone \u2014 of him walking in his neighborhood.<\/p>\n \u201cThe threatening note made clear reference to this very disclosure he was preparing for you, as the proper oversight authority,\u201d reads a preface by Berulis\u2019s attorney Andrew P. Bakaj<\/strong>. \u201cWhile we do not know specifically who did this, we can only speculate that it involved someone with the ability to access NLRB systems.\u201d<\/p>\n Berulis said the response from friends, colleagues and even the public has been largely supportive, and that he doesn\u2019t regret his decision to come forward.<\/p>\n \u201cI didn\u2019t expect the letter on my door or the pushback from [agency] leaders,\u201d he said. \u201cIf I had to do it over, would I do it again? Yes, because it wasn\u2019t really even a choice the first time.\u201d<\/p>\n For now, Mr. Berulis is taking some paid family leave from the NLRB. Which is just as well, he said, considering he was stripped of the tools needed to do his job at the agency.<\/p>\n \u201cThey came in and took full administrative control and locked everyone out, and said limited permission will be assigned on a need basis going forward\u201d Berulis said of the DOGE employees. \u201cWe can\u2019t really do anything, so we\u2019re literally getting paid to count ceiling tiles.\u201d<\/p>\n Further reading: Berulis\u2019s complaint<\/a> (PDF).<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/04\/beruliscomplaint.png?resize=749%2C823&ssl=1\")
<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/04\/whitesoxchicago.png?resize=749%2C556&ssl=1\")
<\/a><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/04\/berulis-mar4-spike.png?resize=685%2C908&ssl=1\")
<\/a><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/04\/noadmin-nlrb.png?resize=750%2C377&ssl=1\")
<\/a><\/p>\n![\"\"](\"https:\/\/i0.wp.com\/krebsonsecurity.com\/wp-content\/uploads\/2025\/04\/nlrb-dir-emailapril14.png?resize=551%2C568&ssl=1\")
<\/p>\n