DOGE whistle Government IT whistleblower calls out DOGE, says he was threatened at home "Stay out of DOGE's way": IT worker details how Musk group infiltrated US agency. Jon Brodkin – Apr 16, 2025 3:04 pm | 50 Elon Musk at the White House on March 9, 2025 in Washington, DC. Credit: Getty Images | Samuel Corum Elon Musk at the White House on March 9, 2025 in Washington, DC. Credit: Getty Images | Samuel Corum Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more A government whistleblower told lawmakers that DOGE's access to National Labor Relations Board (NLRB) systems went far beyond what was needed to analyze agency operations and apparently led to a data breach. NLRB employee Daniel Berulis, a DevSecOps architect, also says he received a threat when he was preparing his whistleblower disclosure. "Mr. Berulis is coming forward today because of his concern that recent activity by members of the Department of Government Efficiency ('DOGE') have resulted in a significant cybersecurity breach that likely has and continues to expose our government to foreign intelligence and our nation's adversaries," said a letter from the group Whistleblower Aid to the Senate Select Committee on Intelligence leaders and the US Office of Special Counsel. The letter, Berulis' sworn declaration, and an exhibit with screenshots of technical data are available here. "This declaration details DOGE activity within NLRB, the exfiltration of data from NLRB systems, and—concerningly—near real-time access by users in Russia," Whistleblower Aid Chief Legal Counsel Andrew Bakaj wrote. "Notably, within minutes of DOGE personnel creating user accounts in NLRB systems, on multiple occasions someone or something within Russia attempted to login using all of the valid credentials (e.g. Usernames/Passwords). This, combined with verifiable data being systematically exfiltrated to unknown servers within the continental United States—and perhaps abroad—merits investigation." Bakaj said they notified law enforcement about an "absolutely disturbing" threat Berulis received on April 7. Someone "taped a threatening note to Mr. Berulis' home door with photographs—taken via a drone—of him walking in his neighborhood," Bakaj wrote. "The threatening note made clear reference to this very disclosure he was preparing for you, as the proper oversight authority. While we do not know specifically who did this, we can only speculate that it involved someone with the ability to access NLRB systems." NLRB denies breach Berulis' disclosure said that several days before receiving this threat, he had been instructed to drop his investigation and not report his concerns to US security officials. Bakaj's letter to senators and the Office of Special Counsel requested "that both law enforcement agencies and Congress initiate an immediate investigation into the cybersecurity breach and data exfiltration at NLRB and any other agencies where DOGE has accessed internal systems." An NLRB spokesperson denied that there was any breach. "Tim Bearese, the NLRB's acting press secretary, denied that the agency granted DOGE access to its systems and said DOGE had not requested access to the agency's systems," according to NPR. "Bearese said the agency conducted an investigation after Berulis raised his concerns but 'determined that no breach of agency systems occurred.'" We contacted the NLRB and will update this article if it provides further comment. There have been numerous lawsuits over the access to government systems granted to DOGE, the Trump administration entity led by Elon Musk. One such lawsuit described DOGE's access as "the largest and most consequential data breach in US history." There have been mixed results in the cases so far; a US appeals court decided last week that DOGE can access personal data held by the US Department of Education and Office of Personnel Management (OPM), overturning a lower-court ruling. After the whistleblower disclosure, US Rep. Gerry Connolly (D-Va.) sent a letter urging inspectors general at the NLRB and Department of Labor to investigate. Connolly said the whistleblower report indicates "that Department of Government Efficiency (DOGE) employees may be engaged in technological malfeasance and illegal activity at the National Labor Relations Board (NLRB) and the Department of Labor (DOL)." Connolly asked for a report to Congress on "the nature of the work the DOGE team has performed at NLRB and DOL, including any and all attempts to exfiltrate data and any attempts to cover up their activities." Because of Musk's role at DOGE and the fact that his "companies face a series of enforcement actions from NLRB and DOL," there is "an inherent conflict of interest for him to direct any work at either agency—let alone benefit from stolen nonpublic information," Connolly wrote. Login attempts from Russia Berulis' disclosure said that on March 11, internal metrics indicated there had been "abnormal usage" over the past week with higher-than-usual response times and "increased network output above anywhere it had been historically." When examining the data, "we noticed a user with an IP address in Primorsky Krai, Russia started trying to log in. Those attempts were blocked, but they were especially alarming," he wrote. The person logging in from Russia apparently had the correct credentials for a DOGE account, according to Berulis. "Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE-related activities, and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating," he wrote. "There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers." This was not the first troubling sign described in the disclosure. On March 7, Berulis says he had "started tracking what appeared to be sensitive data leaving the secured location." About 10GB of data was exfiltrated, but it was "unclear which files were copied and removed," he wrote. Berulis said the evidence indicated there was "a data breach facilitated by an internal actor," and that he observed "the exact behaviors (Indicators of Compromise) of one who was trying to erase records of activities, retard detection, and covertly hide what data was being extracted after the fact." The NLRB hosts lots of private information that is supposed to remain confidential, he noted. This includes "sensitive information on unions, ongoing legal cases, and corporate secrets." The database involved in the apparent breach contains "PII [personally identifiable information] of claimants and respondents with pending matters before the agency" and confidential business information "gathered or provided during investigations and litigation that were not intended for public release," he wrote. Berulis has almost two decades of experience, and his "work often includes high-level coordination with executive teams, establishing red-blue war game security events, and building cross-functional teams to align IT capabilities with mission-critical goals," he said in his declaration. "Having worked at sensitive US Government institutions, I have held a Top Secret security clearance with eligibility for access to Sensitive Compartmented Information, commonly known as TS/SCI." “Stay out of DOGE’s way” In late February, Berulis and his team were notified of DOGE's impending arrival. "On or around March 3, 2025, we saw a black SUV and police escort enter the garage, after which building security let the DOGE staffers in. They interacted with only a small group of NLRB staff, never introducing themselves to those of us in Information Technology," he wrote. An assistant chief information officer (ACIO) was given instructions that IT employees "were not to adhere to SOP [standard operating procedure] with the DOGE account creation in regards to creating records," Berulis wrote. "He specifically was told that there were to be no logs or records made of the accounts created for DOGE employees." DOGE officials were to be given "the highest level of access and unrestricted access to internal systems," specifically "tenant owner" accounts in Microsoft Azure that come "with essentially unrestricted permission to read, copy, and alter data," Berulis wrote. These "permissions are above even my CIO's access level to our systems" and "well above what level of access is required to pull metrics, efficiency reports, and any other details that would be needed to assess utilization or usage of systems in our agency." The NLRB systems "have built-in roles that auditors can use and have used extensively in the past," which do not have "the ability to make changes or access subsystems without approval," Berulis wrote. DOGE apparently wasn't willing to use these accounts. "The suggestion that they use these accounts instead was not open to discussion," he wrote. Berulis said IT staff were ordered "to hand over any requested accounts, stay out of DOGE's way entirely, and assist them when they asked. We were further directed not to resist them in any way or deny them any access." More suspicious events Berulis described several more suspicious events that followed DOGE's arrival. There was a new container that he described as "basically an opaque, virtual node that has the ability to build and run programs or scripts without revealing its activities to the rest of the network." There was also a token that "was configured to expire quickly after creation and use, making it harder to gain insight into what it was used for during its lifetime." To Berulis, these were signs of an attack on the NLRB systems. The methods used seemed to reflect "the desire of the attackers to work invisibly, leaving little to no obvious trace of their activities once removed." On March 6, various users "reported login issues to the service desk and, upon inspection, I found some conditional access policies were updated recently," he wrote. This was odd because "policies that had been in place for over a year were suddenly found to have been changed with no corresponding documentation or approvals," he wrote. "Upon my discovery of these changes, I asked the security personnel and information assurance team about it, but they had no knowledge of any planned changes or approvals." On March 7, Berulis says he "started tracking what appeared to be sensitive data leaving the secured location." About 10GB of data was exfiltrated, but it was "unclear which files were copied and removed," he wrote. On that same day, Berulis says he reported his concerns about sensitive data being exfiltrated to CIO Prem Aburvasmy. Aburvasmy took the concerns seriously and put together a leadership group "to discuss insider threat response on an ongoing cadence and how we could get better at detecting it," Berulis wrote. "Going forward after this, the team met every Friday and continue to do so to this day." Berulis described some shortcomings in the NLRB's ability to detect attacks. "During one of these meetings, it was confirmed that our team did not have the technical capability to detect or respond in real time to internal threat actors, and that we likely did not have the ability to obtain more details about the past events," he wrote. The department subsequently "shifted budget to allow for better tooling going forward," which "has vastly improved our detection and logging so we can provide more concrete evidence if covert exfiltration occurs by an insider threat again," Berulis wrote. "We also shut down a public endpoint and corrected rogue policies that had been altered to allow much broader traffic in/out of our network." Berulis: “We were directed not to... create an official report” On March 10, Berulis found that controls in Microsoft Purview to prevent insecure or unauthorized access from mobile devices had been disabled, he wrote. "In addition, outside of expected baselines and with no corresponding approvals or records I could find I noted the following: an interface exposed to the public Internet, a few internal alerting and monitoring systems in the off state, and multi-factor authentication changed," he wrote. The team observed more odd activity in the ensuing weeks, Berulis wrote. Data was sent to "an unknown external endpoint," but the network team was unable to obtain connection logs or determine what data was removed, he wrote. There were also "spikes in billing in Mission Systems related to storage input/output" associated with projects that could no longer be found in the NLRB system, indicating that "resources may have been deleted or short-lived," he wrote. During the week of March 24, an assistant CIO for security at the NLRB "concluded that following a review of data, we should report it" to US-CERT, the US Computer Emergency Readiness Team at the Cybersecurity and Infrastructure Security Agency (CISA), according to Berulis. "Accordingly, we launched a formal review and I provided all evidence of what we deemed to be a serious, ongoing security breach or potentially illegal removal of personally identifiable information," he wrote. But on April 3 or 4, the assistant CIO "and I were informed that instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report," Berulis wrote. Jon Brodkin Senior IT Reporter Jon Brodkin Senior IT Reporter Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry. 50 Comments