Full Report
A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk's Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity. The NLRB whistleblower said the unusual large data outflows coincided with multiple blocked login attempts from an Internet address in Russia that tried to use valid credentials for a newly-created DOGE user account.
Analysis Summary
# Incident Report: Alleged Unauthorized Data Exfiltration at NLRB via DOGE Accounts
## Executive Summary
In early March, officials allegedly acting on behalf of Elon Musk's Department of Government Efficiency (DOGE) escalated access privileges within the National Labor Relations Board (NLRB) systems, bypassing standard logging procedures. This activity culminated in the suspected exfiltration of approximately 10 gigabytes of sensitive case data. The incident was flagged by a security architect who also noted concurrent blocked login attempts from a Russian IP address using valid credentials for the newly created privileged accounts.
## Incident Details
- **Discovery Date:** Initial anomalous activity detected March 3-4; full scope investigated over several days.
- **Incident Date:** Beginning March 3, 2025.
- **Affected Organization:** National Labor Relations Board (NLRB).
- **Sector:** Federal Government / Labor Relations.
- **Geography:** Washington, D.C., USA.
## Timeline of Events
### Initial Access
- **Date/Time:** March 3 (Morning).
- **Vector:** Inside cooperation/Privileged Account Creation.
- **Details:** DOGE staffers met with NLRB leadership, leading to instructions for IT staff to bypass standard operating procedures and create highly privileged “tenant admin” accounts for DOGE employees, exempt from standard network logging.
### Lateral Movement
- **Date/Time:** March 3 (Early observation).
- **Vector:** Creation of an opaque, virtual environment/container.
- **Details:** One of the new DOGE accounts created a virtual environment/container within the NLRB network, which was unusual for the environment.
### Data Exfiltration/Impact
- **Date/Time:** Early morning March 4 (approx. 3 a.m. - 4 a.m. EST).
- **Vector:** Large, unusual outgoing data transfer.
- **Details:** Approximately 10 gigabytes of data were transferred out of the agency’s NxGen case management system via one of the new privileged accounts. The exact nature and total volume remain unknown due to restricted access for NLRB security staff.
### Detection & Response
- **Date/Time:** March 3 - March 5.
- **Detection:** Security architect Daniel J. Berulis noted the container creation, followed by the massive outgoing traffic spike. Later, a significant number of blocked login attempts from Russia were observed.
- **Response actions taken:** Investigating colleagues' usage of containers; monitoring unexplained traffic spikes; discovering blocked login attempts from malicious external actors. NLRB leadership reportedly instructed staff not to adhere to SOPs regarding the accounts. The security architect was later stripped of necessary access credentials and placed on leave amidst the disclosure process.
## Attack Methodology
- **Initial Access:** Circumvention of security controls via management directive to grant "tenant admin" accounts with unrestricted permissions.
- **Persistence:** Unclear, but the objective seems tied to the immediate data transfer upon account creation.
- **Privilege Escalation:** Explicitly granted "tenant admin" status, enabling top-tier user privileges, including the ability to alter or remove logs.
- **Defense Evasion:** Accounts were intentionally exempted from network logging activity. The use of a virtual container obscured initial process execution.
- **Credential Access:** Not explicitly detailed, but credentials for one DOGE account were immediately used in external brute-force/access attempts from Russia.
- **Discovery:** Use of highly privileged accounts allowed unrestricted access to NLRB databases (NxGen).
- **Lateral Movement:** Not explicitly detailed beyond the initial containerization effort.
- **Collection:** Accessing and consolidating data from the sensitive NxGen database.
- **Exfiltration:** Transferring approximately 10 GB of data outside the agency systems.
- **Impact:** Unauthorized transfer of sensitive NLRB case files and potential exposure of union and corporate proprietary information.
## Impact Assessment
- **Financial:** Not disclosed, but costs associated with investigation, remediation, and potential regulatory fines are implied.
- **Data Breach:** Approximately 10 GB (minimum) of sensitive data from the NxGen case management system, including confidential employee information regarding unionization efforts and proprietary business information.
- **Operational:** Security architect Berulis was locked out of necessary tools/access needed to perform their job, classifying the security function as severely impaired ("getting paid to count ceiling tiles").
- **Reputational:** Significant public damage due to allegations involving a federal agency and a high-profile private entity (DOGE/Musk).
## Indicators of Compromise
- **Network indicators:** Blocked login attempts originating from Russian IP address: `83.149.30.186`.
- **File indicators:** Creation of an anomalous virtual environment/container within the NLRB network.
- **Behavioral indicators:** Massive spike in outgoing network traffic (approx. 10 GB) from the NxGen database; creation of highly privileged, non-logged administrative accounts. Suspicious non-standard Microsoft user account names noted (e.g., `[email protected]`, "Whitesox, Chicago M.").
## Response Actions
- **Containment measures:** Standard login rules successfully blocked external attempts originating from the known Russian IP address.
- **Eradication steps:** No explicit eradication steps detailed regarding the DOGE accounts, as control seemed to be fully transferred to DOGE personnel. The architect was stripped of necessary access.
- **Recovery actions:** NLRB leadership reportedly restricted permissions for existing general staff; the architect sought external assistance via Microsoft (which was interrupted by access revocation).
## Lessons Learned
- **Key takeaways:** Management directives overriding standard security operating procedures (SOPs) create critical, high-risk vulnerabilities immediately exploitable by insiders or external actors using provided credentials. External actors actively probed newly provisioned, high-privilege accounts within minutes of their creation.
- **What could have been done better:** Enforcement of mandatory, immutable logging standards for all privileged accounts, irrespective of management requests, and maintaining independent security oversight over account provisioning and auditability.
## Recommendations
- Immediately review and revoke all "tenant admin" or exempted accounts created under duress.
- Implement Multi-Factor Authentication (MFA) for all administrative access, particularly those accessing sensitive databases like NxGen.
- Establish formal, immutable logging standards that cannot be bypassed by *any* role, ensuring proactive logging is in place *before* granting elevated permissions.
- Review external access policies to ensure no valid credentials are intentionally provisioned for use by non-U.S. systems that are not explicitly vetted through a formal security process.