Government IT Whistleblower Exposes System Breach Linked to DOGE and Musk Group Infiltration

Home page — News — Government IT Whistleblower Exposes System Breach Linked to DOGE and Musk Group Infiltration

A controversial whistleblower disclosure by a government IT professional has rattled the halls of cybersecurity oversight. Daniel Berulis, a seasoned DevSecOps architect at the National Labor Relations Board (NLRB), has laid bare a series of alarming activities tied to the Department of Government Efficiency (DOGE). The whistleblower alleges that DOGE’s unrestricted access to sensitive agency systems not only exceeded operational requirements but potentially enabled a significant data breach with international implications.

Incident Overview

In his sworn declaration shared with the Senate Select Committee on Intelligence and the Office of Special Counsel, Berulis detailed how newly created user accounts for DOGE personnel were exploited almost immediately. His report shows how DOGE accounts were used to log in from an IP address located in Primorsky Krai, Russia. The investigation revealed more than 20 login attempts within 15 minutes of account creation. Berulis further noted that roughly 10GB of data was exfiltrated, though the exact files removed remain unconfirmed. Key screenshots and exhibits have been provided to support these claims.

Technical Analysis and Breakdown

Unrestricted Access: DOGE personnel were provided with “tenant owner” accounts within Microsoft Azure. These accounts possess nearly unrestricted privileges to read, copy, and alter data—bypassing standard operational protocols.
Login Anomalies: The whistleblower’s telemetry data indicated that as soon as DOGE user accounts were activated, password-based authentication was compromised. This allowed login attempts from foreign IP addresses, triggering alerts via built-in no-out-of-country login policies.
Configuration Changes: Unexpected updates in conditional access policies and disabled controls in Microsoft Purview allowed for potential bypassing of multifactor authentication measures. Such alterations, executed without approved change controls or documentation, represent a serious breach of standard cybersecurity best practices.
Opaque Operations: The creation of isolated containers capable of executing programs without traditional logging or monitoring further obscures the activities of suspected malicious actors, complicating forensic investigations.

Technical experts note that these missteps expose a fundamental flaw in segregation of duties—a critical pillar of secure IT operations, especially in government networks entrusted with sensitive data.

Cybersecurity Implications

From a cybersecurity standpoint, the implications of this breach are profound. The NLRB hosts extensive confidential data, including personally identifiable information (PII) on union activities, ongoing legal matters, and private corporate data gathered during litigation. The purported exfiltration of data, compounded by internal misconfigurations, poses a substantial threat to both national security and individual privacy.

Incident response teams have expressed concern about the safety of relying on legacy authentication protocols and the inherent risks of granting excessive privileges. This case underlines the importance of real-time monitoring and stringent access controls, as well as the need for robust audit trails to swiftly identify and mitigate insider threats.

Operational Irregularities and Insider Influence

Berulis’ declaration details several operational anomalies that suggest coordinated efforts to obscure the breach. For instance, IT staff were ordered to provide DOGE with unlogged access without creating any official work records. An assistant chief information officer (ACIO) was explicitly instructed to bypass standard procedures regarding account creation and tracking. Such measures effectively sanitized the digital footprint of DOGE activities within the NLRB, creating blind spots in the system’s monitoring capabilities.

Another unsettling report involves the alteration of conditional access policies and the deactivation of key alerting mechanisms within the network. These changes, carried out without documented approvals, indicate a potential cover-up, reportedly directed from upper echelons of the organization. Moreover, instructions to drop the case from being reported to US-CERT raise critical issues about the internal suppression of cybersecurity incidents.

Legal and Governance Reactions

Following the disclosure, lawmaker US Rep. Gerry Connolly (D-Va.) formally requested an investigation from the inspectors general at both the NLRB and the Department of Labor (DOL). The representative’s letter underscored concerns about potential technological malfeasance and illegal activities. Given Elon Musk’s leadership role at DOGE and his companies being embroiled in enforcement actions from regulatory bodies like NLRB and DOL, questions of conflict of interest have intensified.

Notably, disputes over DOGE’s access to government systems have a storied legal history. A recent US appeals court decision affirmed DOGE’s right to access sensitive personal data from the US Department of Education and the Office of Personnel Management (OPM), overturning previous rulings and further complicating the legal landscape surrounding government IT and data privacy.

Expert Opinions and Future Directions

Industry experts have weighed in, emphasizing that the situation calls for an overhaul of access control and monitoring protocols in government IT infrastructures. Cybersecurity consultants argue that stricter compartmentalization and use of advanced behavioral analytics are essential to prevent similar breaches. They also advocate for enhanced restorative measures, including routine red-blue team exercises, to test the resilience of government security postures against both external and internal threats.

Looking forward, technology leaders are calling for the adoption of Zero Trust architectures across all federal agencies. Incorporation of AI and machine learning could provide real-time anomaly detection, ensuring that unauthorized access attempts are swiftly identified and neutralized. The recent incident has already stimulated discussions about upgrading governmental cybersecurity tools—including advanced logging, dynamic analysis, and comprehensive audit frameworks—to safeguard critical infrastructures.

Conclusion

The whistleblower account by Daniel Berulis reveals a concerning intersection of technical mismanagement, unauthorized high-level access, and potential insider complicity. Although the NLRB denies the breach and claims internal investigations have shown no unauthorized access, the technical evidence presented demands further scrutiny.

This episode reinforces that in an era where government agencies increasingly rely on cloud-based systems such as Microsoft Azure, meticulous access oversight and automated monitoring are non-negotiable. Stakeholders—including lawmakers, cybersecurity experts, and IT professionals—must collaborate to ensure that digital operations within critical government bodies are both transparent and secure.