@emptywheel.bsky.social

"Everywhere you look you have to wonder whether #SusieWiles is as much in charge as #AmyGleason is at #DOGE, whether her title of #ChiefofStaff is just a convenient fiction to cover up for the reality that #Trump does whatever the last person in the room tells him to do.

And often as not, the last person in the room is #StephenMiller."

Stephen Miller

One has to think that Trump has staffed the Federal government with the dregs he had around him, but there are simply too few competent true-believer acolytes to fill out the Federal government

Enter the few Trump Whispers, or perhaps really the single #TrumpWhisperer: Stephen Miller

"It’s not just that Stephen Miller is often the last one in the room with Trump. It’s not just that Stephen Miller’s policy ideas are batshit insane (and that he’s the author of Trump’s most egregious abuses of power). It’s also that Miller often stands in as the Word of DOGE, the Word of Trump."

Here: https://www.emptywheel.net/2025/04/20/trump-has-no-policy-process-just-wormtongue-and-palace-intrigue/

It's unclear why #DOGE would need #access to #NLRB files that contain personally identifiable #information to complete its *mission* of improving *efficiency*, outside of employment records for potential reductions in force. The agency publishes publicly available annual performance & accountability reports & budget justifications that former NLRB members told #NPR would likely be sufficient in looking for ways to cut costs.

"The representatives have requested information about agency operations but asked us to remove any personally identifiable information from documents we provide," the email reads. "Consistent with the President's Executive Order & applicable laws, the Agency will comply with #DOGE's requests for access & information."

The email, sent to staff on behalf of #NLRB chair Marvin E. Kaplan & acting general counsel William Cowen & shared w/ #NPR by 2 NLRB employees…, said 2 #DOGE reps would be detailed to the agency from the #GSA "part-time for several months" & would largely work *remotely* [guess they’ll be using that back door].

AYFKM?!!?

#DOGE assigned to work at agency where it illegally removed data

The ad hoc Department of Govt Efficiency team is assigning 2 staffers to work at the independent agency where a #whistleblower alleged Tues DOGE may have already removed sensitive #labor #data from its systems.

Just 1 day after #NPR reported on the disclosure filed by whistleblower Daniel #Berulis, DOGE reps visited NLRB’s office in DC for a meeting.

#law #NationalSecurity #InfoSec #Trump #Musk
https://www.npr.org/2025/04/16/nx-s1-5366851/doge-nlrb-whistleblower-musk-data

Russ Handorf, who served in the #FBI for a decade in various #cybersecurity roles, also reviewed Berulis' extensive technical forensic records & analysis….

"All of this is alarming," he said. "If this was a publicly traded company, I would have to report this [breach] to the Securities and Exchange Commission…."

"We've seen Russian threat actors do things like this on US government systems," said one #threat #intelligence researcher…. That analyst, who has extensive experience hunting nation - #StateSponsored #hackers, reviewed the #whistleblower's technical claims.

"The difference is, they [DOGE] were given the keys to the front door," the researcher continued.

While investigating the #data taken from #NLRB, Berulis tried to determine its ultimate destination. But whoever had exfiltrated it had disguised its destination too….

#DOGE staffers had permission to access the system, but removing data is another matter.

Berulis says someone appeared to be doing something called DNS tunneling to prevent the data exfiltration from being detected.

Berulis noticed 5 PowerShell downloads…, a task automation program that would allow engineers to run automated commands. There were several code libraries that got his attention—tools that appeared to be designed to automate & mask #data exfiltration. There was a tool to generate a seemingly endless number of IP addresses called "requests-ip-rotator," & a commonly used automation tool for web developers called "browserless" — both repositories starred or favorited by Wick, the #DOGE engineer….

In part because of the stymied internal investigation & attempts to silence him, Berulis decided to come forward publicly.

…despite all that, Berulis managed to uncover stranger & more troubling details about what happened while #DOGE was logged on….

Unknown users gave themselves a high-level access key, what's called a SAS token, "shared access signature," to access storage accounts, before deleting it. Berulis said there was no way to track what they did with it.

In the days after Berulis & his colleagues prepared a request for #CISA's help…, Berulis found a printed letter in an envelope taped to his door, which included threatening language, sensitive personal info & overhead pictures of him walking his dog…. It's unclear who sent it, but the letter made specific reference to his decision to report the breach. Law enforcement is investigating the letter.

The IT team met to discuss insider threats — namely, the #DOGE engineers…. "We had no idea what they did," he explained.…

They eventually launched a formal breach investigation, …& prepared a request for assistance from #CISA. However, those efforts were disrupted w/o an explanation, Berulis said. That was deeply troubling to Berulis….

In fact, when they looked into the spike, they found that logs that were used to monitor outbound traffic from the system were absent. Some actions taken on the network, including #data exfiltration, had no attribution—except to a "deleted account," he continued. "Nobody knows who deleted the logs or how they could have gone missing," Berulis said.

For #cybersecurity experts, that spike in #data leaving the system is a key indicator of a #breach, Berulis explained.

When Berulis asked his IT colleagues whether they knew why the data was exfiltrated or whether anyone else had been using containers to run code on the system in recent weeks, no one knew anything about it or the other unusual activities on the network….

Even when external parties like lawyers or overseers like the inspector general are granted guest accounts on the system, it's only to view the files relevant to their case or investigation, explained #labor #law experts who worked with or at the #NLRB….

"None of that confidential & deliberative information should ever leave the agency," said Richard Griffin, who was the NLRB general counsel 2013–2017, in an interview w/NPR.

Regardless, that kind of spike is extremely unusual, …because #data almost never directly leaves from the #NLRB's databases. In his disclosure, Berulis shared a screenshot tracking data entering and exiting the system, & there's only one noticeable spike of data going out. He also confirmed that no one at the NLRB had been saving backup files that week or migrating data for any projects.

From what he could see, the #data leaving, almost all text files, added up to around 10GB…. It's a sizable chunk of the total data in the #NLRB sys, though the agency itself hosts over 10TB in historical data. It's unclear which files were copied & removed or whether they were consolidated & compressed, which could mean even more data was exfiltrated. It's also possible that #DOGE ran queries looking for specific files…& took only what it was looking for….

On its own, that wouldn't be suspicious, though it did allow the engineers to work invisibly & left no trace of its activities once it was removed.

Then, Berulis started tracking sensitive #data leaving the places it's meant to live…. First, he saw a chunk of data exiting the NxGen case management system's "nucleus," inside the #NLRB system, Berulis explained. Then, he saw a large spike in outbound traffic leaving the network itself.

But he counted on #DOGE leaving at least a few traces of its activity behind,…details he included in his ofcl disclosure.

First, at least 1 DOGE account was created & later deleted for use in #NLRB's cloud systems, hosted by Microsoft:
DogeSA_2d5c3e0446f9@nlrb.microsoft.com

Then, DOGE engineers installed what's called a "container," a kind of opaque virtual computer that can run programs…w/o revealing its activities to the rest of the network.
#law #Trump #Musk #DOGE #InfoSec #NationalSecurity

About a week after arriving, the #DOGE engineers left #NLRB & deleted their accounts….

In the office, Berulis had had limited visibility into what the DOGE team was up to in real time.

That's partly because, he said, NLRB isn't advanced when it comes to detecting insider threats…. "We as an agency have not evolved to account for those," he explained. "We were looking for [bad actors] outside," he said.