A rather detailed case study into "Department of Government Efficiency" or "DOGE" practices - in this instance within a US independent federal agency NLRB through the eyes of an IT professional - especially in the network and information security realms. Follows mounting evidence that sensitive data is exfiltrated for unknown reasons throughout federal agencies. Thoroughly researched article (it's a long read too, so I tried to compress the most salient in IT/security contexts here), 30 sources and 11 technical experts consulted.
DOGE staffers interact minimally with resident IT staff but demand highest level of access to read, copy and alter data. NLRB resident staff try to accommodate suggesting standard retraceable settings but are told to stand down and not log activity according to NIST and DHS CISA best practices (" ... a huge red flag ... violates every core concept of security ..."). The network activity that follows - had it not been known to be DOGE - would've been assumed to be a nation-state attack from China or Russia, according to a fmr WH cyber official. If the same were to happen in a publicly traded company the breach would have to be reported to the SEC. Eventually, on evidence, NLRB launches a formal breach investigation seeking assistance from CISA but are rebuffed without explanation.
At least one NLRB cloud account is created for DOGE and a "container" virtual computer is established allowing actions invisible for the rest of NLRB's network. DOGE also give themselves an SAS token to access high-level storage accounts. The NLRB IT employee (come whistleblower) observes data exiting core systems, followed by traffic leaving the network itself. The destination of the data is unknown. There are hallmarks of obfuscation by DNS tunneling the extraction. Five PowerShell task automation programs are discovered, as are custom tools appearing to enable masking automated data exfiltration.
Furthermore, controls limiting insecure and/or unauthorized mobile devices from logging on and MFA are disabled, internal alerting systems manually turned off. Needless to say there are no good reasons to leave a system with sensitive data so externally exposed. Within minutes of DOGE gaining access repeated and persistent login attempts by a Russian IP address follow, using newly created DOGE accounts with correct usernames and passwords. These attempts, at least, are noticed and rebuffed because NLRB staff had previously configured their network to allow logins only from US IP addresses.
As the NLRB IT employee gathers this information throughout his network before alerting the public, he discovers a note taped on his front door at an address he has just moved into. The note details highly personal information about himself only available on the NLRB system, vague threats and drone-acquired images of himself walking his dog. Form the article: "'Our cyber teams are pissed because they have to sit on their hands when every single alarm system we have regarding insider threats is going off', said one employee at an agency of the Interior Department who requested anonymity, fearing retribution." Now imagine this sort of thing going on across all the US federal agencies, one after another.
DOGE staffers interact minimally with resident IT staff but demand highest level of access to read, copy and alter data. NLRB resident staff try to accommodate suggesting standard retraceable settings but are told to stand down and not log activity according to NIST and DHS CISA best practices (" ... a huge red flag ... violates every core concept of security ..."). The network activity that follows - had it not been known to be DOGE - would've been assumed to be a nation-state attack from China or Russia, according to a fmr WH cyber official. If the same were to happen in a publicly traded company the breach would have to be reported to the SEC. Eventually, on evidence, NLRB launches a formal breach investigation seeking assistance from CISA but are rebuffed without explanation.
At least one NLRB cloud account is created for DOGE and a "container" virtual computer is established allowing actions invisible for the rest of NLRB's network. DOGE also give themselves an SAS token to access high-level storage accounts. The NLRB IT employee (come whistleblower) observes data exiting core systems, followed by traffic leaving the network itself. The destination of the data is unknown. There are hallmarks of obfuscation by DNS tunneling the extraction. Five PowerShell task automation programs are discovered, as are custom tools appearing to enable masking automated data exfiltration.
Furthermore, controls limiting insecure and/or unauthorized mobile devices from logging on and MFA are disabled, internal alerting systems manually turned off. Needless to say there are no good reasons to leave a system with sensitive data so externally exposed. Within minutes of DOGE gaining access repeated and persistent login attempts by a Russian IP address follow, using newly created DOGE accounts with correct usernames and passwords. These attempts, at least, are noticed and rebuffed because NLRB staff had previously configured their network to allow logins only from US IP addresses.
As the NLRB IT employee gathers this information throughout his network before alerting the public, he discovers a note taped on his front door at an address he has just moved into. The note details highly personal information about himself only available on the NLRB system, vague threats and drone-acquired images of himself walking his dog. Form the article: "'Our cyber teams are pissed because they have to sit on their hands when every single alarm system we have regarding insider threats is going off', said one employee at an agency of the Interior Department who requested anonymity, fearing retribution." Now imagine this sort of thing going on across all the US federal agencies, one after another.
