Back

But acc/to an official #whistleblower disclosure shared w/ #Congress & other federal overseers…, subsequent whistleblower interviews & records of internal comms, technical staff were alarmed about what #DOGE engineers did when granted access, particularly when staffers noticed a spike in #data LEAVING the agency. It's possible that the data included sensitive info on #unions, ongoing #legal cases & #CorporateSecrets — data that 4 #labor #law experts tell NPR should almost never leave the NLRB….

& data has nothing to do w/making the govt more efficient or cutting spending.

Meanwhile, acc/to the disclosure & records of internal comms, members of the #DOGE team asked that their activities not be logged on the system & then appeared to try to cover their tracks behind them, turning off monitoring tools & manually deleting records of their access—evasive behavior several #cybersecurity experts compared to what #criminal or #StateSponsored #hackers might do.

The employees grew concerned that the #NLRB's confidential #data could be exposed, particularly after they started detecting suspicious log-in attempts from an IP address in #Russia [wtf?], acc/to the disclosure. Eventually, the disclosure continued, the IT department launched a formal review of what it deemed a serious, ongoing #security #breach or potentially #illegal removal of personally identifiable information.

The #whistleblower believes that the suspicious activity warrants further investigation by agencies w/more resources, like #CISA or the #FBI.

#Labor #law experts…fear that if the data gets out, it could be abused, including by private companies w/cases before the agency that might get insights into damaging testimony, #union leadership, #legal strategies & internal data on competitors — #Musk's #SpaceX among them….

It could also intimidate #whistleblowers who might speak up about unfair labor practices, & it could sow distrust in the #NLRB's independence, they said.

The new revelations about #DOGE's activities at the labor agency come from a #whistleblower in the IT department of the NLRB, who disclosed his concerns to #Congress & the US Office of Special Counsel [#OSC] in a detailed report that was then provided to #NPR.

Meanwhile, his attempts to raise concerns internally within the #NLRB preceded someone "physically taping a threatening note" to his door that included sensitive personal information & overhead photos of him walking his dog that appeared to be taken with a drone, according to a cover letter attached to his disclosure filed by his attorney, Andrew Bakaj of the nonprofit #Whistleblower Aid.

The #whistleblower's account is corroborated by internal documentation & was reviewed by 11 technical experts across other govt agencies & the private sector. In total, NPR spoke to >30 sources across govt, private sector, #labor movement, #cybersecurity & #law enforcement who had their own concerns about how #DOGE & the #Trump admin might be handling sensitive #data, & the implications for its exposure. The following account comes from the whistleblower's ofcl disclosure & interviews w/ #NPR.

…#DOGE employees demanded the highest level of access, what are called "tenant owner level" accounts inside the independent agency's computer systems, w/essentially unrestricted permission to read, copy & alter #data….

When an IT staffer suggested a streamlined process to activate those accounts in a way that would let their activities be tracked, in accordance with #NLRB #security policies, the IT staffers were told to stay out of DOGE's way….

For #cybersecurity professionals, a failure to log activity is a cardinal sin & contradicts best practices as recommended by the National Institute of Standards & Technology [#NIST] & the #DHS's #CISA, as well as the #FBI & the #NSA.

"That was a huge red flag," said Berulis. "That's something that you just don't do. It violates every core concept of security & best practice."

Those #forensic #digital #records are important for record-keeping requirements & allow for troubleshooting, but they also allow experts to investigate potential breaches, sometimes even tracing the attacker's path back to the vulnerability that let them inside a network. The records can also help experts see what #data might have been removed. Basic logs would likely not be enough to demonstrate the extent of a bad actor's activities, but it would be a start.

There's no reason for any legitimate user to turn off logging or other #security tools, #cybersecurity experts say.

"None of this is normal," said Jake Braun…fmr acting principal dpty natl cyber dir at the WH…. "This type of activity is why the government buys insider-threat-monitoring technology. So we can know things like this are happening & stop sensitive data exfiltration before it happens," he told NPR.

However, the #NLRB's budget hasn't had the money to pay for tools like that for years, Berulis said.

A couple of days after #DOGE arrived, Berulis saw something else that alarmed him while browsing the internet over the weekend.

MIT grad & DOGE engineer #JordanWick had been sharing info about coding projects he was working on to his public account w/ GitHub….

After journalist Roger Sollenberger started posting…about the account, Berulis noticed something Wick was working on: a project, or repository, titled "NxGenBdoorExtract."

Wick made it private before Berulis could investigate further, he told NPR. But to Berulis, the title itself was revealing.

"So when I saw this tool, I immediately panicked,"…He immediately alerted his whole team.

While NPR was unable to recover the code for that project, the name itself suggests that Wick could have been designing a #backdoor, or "Bdoor," to extract files from #NLRB's internal case management system, known as NxGen, acc/to several #cybersecurity experts who reviewed Berulis' conclusions.

…NxGen is an internal system that was designed specifically for the NLRB in-house, acc/to several of the engineers who created the tool….

…while many of the #NLRB's records are eventually made public, the NxGen case management system hosts #proprietary #data from #corporate competitors, personal information about #union members or employees voting to join a union, & #witness testimony in ongoing cases. Access to that data is protected by numerous federal #laws, including the #Privacy Act.

…engineers were also concerned by #DOGE staffers' insistence that their activities not be logged, allowing them to probe the NLRB's systems & discover info about potential #security flaws or vulnerabilities w/o being detected.

“The whole idea of removing logging & [getting] tenant-level access is the most disturbing part to me," one engineer said.

"If he didn't know the backstory, any [chief information security officer] worth his salt would look at network activity like this & assume it's a nation-state attack from #China or #Russia," said Braun, the fmr White House #cyber official.

About a week after arriving, the #DOGE engineers left #NLRB & deleted their accounts….

In the office, Berulis had had limited visibility into what the DOGE team was up to in real time.

That's partly because, he said, NLRB isn't advanced when it comes to detecting insider threats…. "We as an agency have not evolved to account for those," he explained. "We were looking for [bad actors] outside," he said.

But he counted on #DOGE leaving at least a few traces of its activity behind,…details he included in his ofcl disclosure.

First, at least 1 DOGE account was created & later deleted for use in #NLRB's cloud systems, hosted by Microsoft:
DogeSA_2d5c3e0446f9@nlrb.microsoft.com

Then, DOGE engineers installed what's called a "container," a kind of opaque virtual computer that can run programs…w/o revealing its activities to the rest of the network.
#law #Trump #Musk #DOGE #InfoSec #NationalSecurity

On its own, that wouldn't be suspicious, though it did allow the engineers to work invisibly & left no trace of its activities once it was removed.

Then, Berulis started tracking sensitive #data leaving the places it's meant to live…. First, he saw a chunk of data exiting the NxGen case management system's "nucleus," inside the #NLRB system, Berulis explained. Then, he saw a large spike in outbound traffic leaving the network itself.