Whistleblower: Doge came in, data went out, and Russians started to login
a year ago
- #whistleblower
- #cybersecurity
- #data-breach
- Federal whistleblower Daniel Berulis, a senior DevSecOps architect at NLRB, disclosed a covert cyber operation by DOGE within a federal agency.
- DOGE was granted 'tenant owner' privileges in Azure, giving them full control over NLRB's cloud, above the CIO, and disabled logs to hide their actions.
- There was a 10+ GB spike in outbound traffic from NLRB's legal case database, NxGen, with no corresponding inbound traffic, indicating data exfiltration.
- Attackers in Russia attempted logins with correct usernames and passwords within 15 minutes of DOGE accounts being created, suggesting a possible breach or insider threat.
- Multi-factor authentication was disabled without approval or logging, and Azure billing spiked 8%, likely from high-cost compute used for data extraction.
- Berulis faced intimidation, including a drone surveillance photo with a threatening note taped to his front door.
- US-CERT was told to stand down by senior officials, preventing an investigation into the incident.
- Microsoft's research on Silk Typhoon highlights their shift to using stolen API keys and PAM credentials to target state/local governments and IT sectors.
- Hackers claim to have compromised Gravy Analytics, exposing millions of smartphone location records sold to U.S. government agencies, posing risks of de-anonymization and tracking.
- New vulnerabilities in Palo Alto Networks Expedition (CVE-2024-9464 and CVE-2024-9465) allow for arbitrary OS command execution and SQL injection, exposing sensitive data.