I published a follow-up on NPR's scoop last week about a whistleblower at the National Labor Relations Board (NLRB), who alleges DOGE created super admin accounts (w/ no logging) at NLRB and transferred ~10GB worth of data from the agency's case files.
The story includes an interview with the whistleblower -- NLRB security architect Daniel Berulis -- and examines the technical claims in his report to lawmakers. He's taking some paid leave for now, noting that the same day the NPR story ran, the NLRB removed administrative rights for its IT staff and almost everyone else at the agency.
The backstory is that both Amazon and Musk’s SpaceX have been suing the NLRB over complaints the agency filed in disputes about workers’ rights and union organizing, arguing that the NLRB’s very existence is unconstitutional. On March 5, a U.S. appeals court unanimously rejected Musk’s claim that the NLRB’s structure somehow violates the Constitution.
Here's the lede:
"A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk‘s Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity. The NLRB whistleblower said the unusual large data outflows coincided with multiple blocked login attempts from an Internet address in Russia that tried to use valid credentials for a newly-created DOGE user account."
— PROTECTED WHISTLEBLOWER DISCLOSURE —
April 14, 2025
VIA EMAIL
The Honorable Tom Cotton
Chairman, Senate Select Committee on Intelligence
The Honorable Mark Warner
Vice Chairman, Senate Select Comittee on Intelligence
United States Senate
Washington, DC 20510
USS. Office of Special Counsel
1730 M Street, NW
Washington, DC 20036
RE: Disclosure of Cyber Security Breach and Data Exfiltration through DOGE
Systems and Whistleblower/Witness Intimidation
Dear Chairman Cotton, Vice Chairman Warner, and Special Counsel:
Whistleblower Aid and Compass Rose Legal Group, PLLC jointly represent
Daniel J. Berulis, a federal employee with the National Labor Relations Board ("NLRB").
Mr. Berulis is an experienced DevSecOps Architect, spanning almost two decades of
experience guiding enterprise-scale digital transformations, enacting best practices at
scale, championing cybersecurity awareness, and enabling business objectives. Prior
to serving at NLRB, he served in positions supporting our national security, holding a
Top Secret security clearance with eligibility for access to Sensitive Compartmented
Information, commonly referred to as TS/SCI. Mr. Berulis is coming forward today
because of his concem that recent activity by members of the Department of
Government Efficiency (‘DOGE") have resulted in a significant cybersecurity breach
I boosted several posts about this already, but since people keep asking if I've seen it....
MITRE has announced that its funding for the Common Vulnerabilities and Exposures (CVE) program and related programs, including the Common Weakness Enumeration Program, will expire on April 16. The CVE database is critical for anyone doing vulnerability management or security research, and for a whole lot of other uses. There isn't really anyone else left who does this, and it's typically been work that is paid for and supported by the US government, which is a major consumer of this information, btw.
I reached out to MITRE, and they confirmed it is for real. Here is the contract, which is through the Department of Homeland Security, and has been renewed annually on the 16th or 17th of April.
MITRE's CVE database is likely going offline tomorrow. They have told me that for now, historical CVE records will be available at GitHub, https://github.com/CVEProject
Yosry Barsoum, vice president and director at MITRE's Center for Securing the Homeland, said:
“On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE®) Program and related programs, such as the Common Weakness Enumeration (CWE™) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.”
MITRE | SOLVING PROBLEMS
FOR A SAFER WORLD"
April 15, 2025
Dear CVE Board Member,
We want to make you aware of an important potential issue with MITRE’s enduring
support to CVE.
On Wednesday, April 16, 2025, the current contracting pathway for MITRE to develop,
operate, and modernize CVE and several other related programs, such as CWE, wil
expire. The government continues to make considerable efforts to continue MITRE’
role in support of the program
If a break in service were to occur, we anticipate multiple impacts to CVE, including
deterioration of national vulnerability databases and advisories, tool vendors, incident
response operations, and all manner of critical infrastructure.
MITRE continues to be committed to CVE as a global resource. We thank you as a
member of the CVE Board for your continued partnership.
Sincerely,
Yosry Barsoum
VP and Director
Center for Securing the Homeland (CSH)
7515 Colshire Drive ® McLean, VA 22102-7539 ® (703) 983-6000
@briankrebs Shouldn't officers from FBI, CIA, DIA, NSA, Department of Homeland Security & other agencies consequently all have their stopping hands on the shoulders of everyone serving "DOGE" & enemies of the United States?