Full Report
A whistleblower at the National Labor Relations Board (NLRB) alleged last week that denizens of Elon Musk's Department of Government Efficiency (DOGE) siphoned gigabytes of data from the agency's sensitive case files in early March. The whistleblower said accounts created for DOGE at the NLRB downloaded three code repositories from GitHub. Further investigation into one of those code bundles shows it is remarkably similar to a program published in January 2025 by Marko Elez, a 25-year-old DOGE employee who has worked at a number of Musk's companies.
Analysis Summary
# Incident Report: Unauthorized Data Siphoning by DOGE at NLRB
## Executive Summary
Employees of Elon Musk’s Department of Government Efficiency (DOGE) allegedly gained full administrative access to the National Labor Relations Board (NLRB) systems and subsequently downloaded over 10 gigabytes of sensitive case files, including information on union organizing. The breach was facilitated by creating high-privilege, non-logging "tenant admin" accounts demanded by DOGE officials, and suspicious activity was later linked to code repositories resembling those developed by a known DOGE employee, Marko Elez. The incident was discovered by an NLRB whistleblower who reported the unauthorized data transfer and suspicious GitHub activity, fearing it could prejudice ongoing labor disputes.
## Incident Details
- Discovery Date: Early March (Whistleblower identified suspicious file downloads by DOGE accounts shortly after access was granted).
- Incident Date: Early March (Specific date implied around March 3rd for account creation).
- Affected Organization: National Labor Relations Board (NLRB)
- Sector: Government / Labor Relations
- Geography: United States (implied)
## Timeline of Events
### Initial Access
- Date/Time: On or around March 3rd
- Vector: Insider arrangement/Privilege escalation via administrative demand.
- Details: DOGE officials met with NLRB leaders and demanded the creation of several "tenant admin" accounts with unrestricted read/copy/alter permissions on NLRB databases. These accounts were exempted from routine network logging.
### Lateral Movement
- Details: Not explicitly detailed as standard lateral movement, but the DOGE accounts immediately utilized their privileged access to the NLRB case file database.
### Data Exfiltration/Impact
- Date/Time: Early March
- Details: Over 10 gigabytes of sensitive case data, including information about employees seeking union organization and proprietary business documents, were downloaded. Simultaneously, three code repositories from GitHub were downloaded by a DOGE account.
### Detection & Response
- Detection: Discovered by NLRB security architect Daniel J. Berulis through monitoring activity associated with the new DOGE accounts, specifically noticing external code library downloads.
- Response: Whistleblower Daniel Berulis outwardly reported the activity but was allegedly told by higher-ups not to report the matter to US-CERT. Berulis subsequently filed a public whistleblower complaint.
## Attack Methodology
- Initial Access: Exploitation of privileged administrative authorization granted by internal agreement (creation of "tenant admin" accounts).
- Persistence: Maintained through the use of high-tier, logging-exempt "tenant admin" accounts.
- Privilege Escalation: Achieved via the creation of accounts with administrator-level privileges that could alter or remove logs, exceeding privileges held by standard security staff.
- Defense Evasion: Explicit bypassing of network logging activity for the initiated accounts.
- Credential Access: Not explicitly used; access was granted via authorized (though highly suspicious) account creation.
- Discovery: The attacker (DOGE personnel) performed internal reconnaissance to locate and download sensitive case file databases.
- Lateral Movement: Not applicable; access was immediately root/admin level to target data.
- Collection: Downloaded over 10 GB of sensitive case file data. Also downloaded three suspicious code repositories from GitHub: an IP rotator/brute-forcing tool (similar to Marko Elez's `async-ip-rotator`), `Integuru` (API reverse engineering), and `Browserless` (headless browser automation).
- Exfiltration: Implied by the large data download; method of transfer for the 10GB is unspecified but associated with the elevated accounts.
- Impact: Unauthorized access to confidential labor dispute records.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: 10+ gigabytes of sensitive NLRB case files, including information on union organizing efforts and proprietary business documents.
- Operational: NLRB was hampered by the suspicious actions; the integrity of ongoing labor disputes was compromised, potentially disadvantaging workers/union organizers.
- Reputational: Negative publicity arising from the whistleblower complaint regarding unauthorized data access by a government efficiency agency.
## Indicators of Compromise
- Network Indicators: (None defanged explicitly provided, but implied use of cloud addresses for proxy/IP rotation if the downloaded code was executed).
- File Indicators:
- Downloaded Code Repository 1: Related to IP rotation for web scraping/brute-forcing, mirroring Marko Elez's `async-ip-rotator`.
- Downloaded Code Repository 2: `Integuru` (API reverse engineering framework).
- Downloaded Code Repository 3: `Browserless` (headless browser automation tool).
- Behavioral Indicators: Excessive downloading of sensitive case files by newly provisioned, logging-exempt accounts.
## Response Actions
- Containment measures: Not explicitly detailed, but likely involved revoking or disabling the suspect DOGE tenant admin accounts.
- Eradication steps: Not detailed.
- Recovery actions: Not detailed, though the discovery prompted a public complaint by the whistleblower.
## Lessons Learned
- Over-reliance on internal agreements (between agencies/departments) to grant elevated, exception-based privileges (exempt from logging) creates severe security blind spots.
- Third-party/Inter-agency access protocols must enforce standard least-privilege and mandatory logging, regardless of the demanding entity's status.
- The use of tools designed for bypassing rate limits and brute-forcing (like the downloaded IP rotator) alongside access to sensitive data raises immediate red flags that should trigger automated alerts.
## Recommendations
- Implement mandatory, immutable logging across all system administration accounts, regardless of exemption requests, using external, write-once logging infrastructure.
- Establish strict vetting processes for granting "tenant admin" or equivalent superuser roles, requiring multi-level authorization and periodic audits of scope.
- Conduct immediate internal audits on all accounts or processes that interface with sensitive case files to ensure no other unauthorized access or code has been introduced.