this part of the whistleblower complaint seem way worse:
"
On or about March 11, 2025, NxGen metrics indicated abnormal usage at points the prior
week. I saw way above baseline response times, and resource utilization showed increased
network output above anywhere it had been historically – as far back as I could look. I noted that
this lined up closely with the data out event. I also notice increased logins blocked by access
policy due to those log-ins being out of the country. For example: In the days after DOGE
accessed NLRB’s systems, we noticed a user with an IP address in Primorskiy Krai, Russia
started trying to log in. Those attempts were blocked, but they were especially alarming.
Whoever was attempting to log in was using one of the newly created accounts that were used in
the other DOGE related activities and it appeared they had the correct username and password
due to the authentication flow only stopping them due to our no-out-of-country logins policy
activating. There were more than 20 such attempts, and what is particularly concerning is that
many of these login attempts occurred within 15 minutes of the accounts being created by DOGE
engineers.
"
Any guesses for best possible interpretion? The Russians have infiltrated their PCs with keyloggers and DOGE are working from insecure open networks.
The worst possible interpretation is straightforward - they are working for the Russians as agents and let the Russians in or installed the keyloggers for Russia.
Excerpt: "How much more proof do we need that this administration is completely compromised? There is zero reason for the US to relax any offensive digital actions against Russia. If anything, we should be applying more."
May not be state sponsored. Could just be a Russian hacking group associated with the DOGE person.
Or it could be state sponsored and they didn’t think they needed to be covert as they could walk through the front door on invitation of the executive branch.
Sometimes getting caught isn’t a bad thing. If you are trying to seed division between to groups, acting in a way that divides them - e.g., getting caught helping one side - is more effective than what you gain by not getting caught.
I struggle to see what Russia would gain with nlrb data, but getting caught “helping doge” furthers distrust between the two sides of our country - which is something they gain from
While I'm just guessing I'd think it would be better to wait until Ukraine is done and trump is out of office. Creating mistrust in Doge only helps Democrats
No, the two sides live in different information spheres.
This story will percolate up to many democrats who will be furious that Russia is “helping” “doge”.
Separately, it won’t (or will be dismissed as “overreacting” or “lying”) by republicans. They will see the democrats as overreacting and having trump derangement syndrome.
Meanwhile, the next doge encounter with an agency now brings greater fear of illicit acts for internal IT people and more controls for doge to demand are turned off creating more conflict within government function.
The sides believe in the evil and stupidity of the other will be further ossified. Meanwhile, Russia is effectively able to do espionage in a way where getting caught doesn’t diminish the value of the espionage work they are engaged in.
This is a great take but please don’t even dignify “trump derangement syndrome” by using it in conversation like this. That’s exactly what the people who created the term wanted it to be used for, ironically sowing further division.
> guesses for best possible interpretion? The Russians have infiltrated their PCs with keyloggers and DOGE are working from insecure open networks
They were accessing Github over the internet from superuser accounts they were presumably also using as their user account. Given the code quality, I doubt their opsec is put together, either.
The objective may not have been to obtain access or any useful data. The objective may have been to get the scary headlines about Russians and use the existing media and political agitprop to further destabilize the government you seek to color revolution away.
It doesn't make sense to me that an administration that by and large has been throating Putin would do that to throw more shade on Russia.
I'm not saying they didn't do that, just that it's not in line with their support for Putin and Russia. Maybe as a false flag it give Putin the cover to crack down on hacking groups that don't throat him.
The theory I'm seeing is that they are creating an excuse to try to drum up public support for expanding use of AI in government under the guise of security. You already have people in this very thread and every DOGE thread playing Elon's advocate. Give them a vague reason like security and I'm sure they'll be onboard with no questions asked.
Isn't it just that the IP router happens to use IPs in Russia as part of the rotation?
If they're trying to exfiltrate data, they might want to rotate through IP addresses in order to obfuscate what's going on or otherwise circumvent restrictions. Using a simple ip rotator like the post talks about would maybe be an approach they'd use. If they're not careful with the IP addresses, once in a while one might get caught due to some restriction like being outside the US. It'd maybe appear as though you're getting these weird requests from Russia, but that's just because you're not logging the requests that are not being flagged from the US.
Maybe I'm reading the post incorrectly though (if so, please correct me!)
> Any guesses for best possible interpretion? The Russians have infiltrated their PCs with keyloggers [...]
Best possible case I see would be that the whistleblower has made some mistake (or is being intentionally dishonest). Seems plausible for instance that "it appeared they had the correct username and password" based on "our no-out-of-country logins policy activating" could just be a misunderstanding of how/when the policy triggers. Not to say it's the most likely explanation, just the least concerning one.
I think less concerning than keyloggers, while still assuming the whistleblower is correct, would be that a DOGE employee was using a VPN/proxy/Tor. Probably not a great idea to have traffic going through a hostile nation state even with encryption, but less bad than keyloggers on their machines stealing and trying credentials within minutes.
Definitely concerning though, to be clear - just steelmanning/answering the question of best possible interpretation.
Yeah, like the APT that compromised O365 accounts from US gov entities a year or so ago, using residential proxies to go around Conditional Access Policies..., is now logging in straight from the Kremlin. :D
The alleged "Russian login attempts" were blocked by CAPs.
Russian state-sponsored actors have showned in the past that they use residential relay boxes to get around that.
If you read between the lines of the whistleblower claims, a lot of stuff doesn't add up. I especially like the conclusion that a deathnote was left on his door BEFORE he blew the whistle, and that a drone was hovering over his house.
* He could’ve gotten a death note because they suspected he might become a whistleblower, or simply because of what he knew.
* This death note could have been the final straw.
* Drones fly over my house all the time. If I witnessed what he did and received a death note, I may assign additional significance to it.
How dumb would Russian hackers be to not use some kind of vpn? My friend who lives in Russia says that without vpn he can not access majority of USA sites so he has it always on be default. Something to is not right or these people are very very dumb.
The article could offer a summary of this key finding, rather than, say, the pointless paragraph near the bottom about the scraping software found in GitHub not being well written.
This is the evidence which strongly suggests that the DOGE personnel are using various cloud IP addresses to scrape.
While blocking before authentication seems intuitive for efficiency, checking after provides crucial context that's missing if you block pre-auth: you know which specific user account just authenticated successfully.
This context enables two important things:
- Granular exceptions: If Alice is attending a conference in Toronto, you can say "Allow Alice to log in from Canada next week" without opening Canada-wide logins for everyone. Pre-auth geo-blocking forces you into an all-or-nothing stance.
- Better threat intelligence: A valid login from an unexpected region (e.g. Moscow when Alice is normally in D.C.) is a far stronger signal of compromise than a failed attempt. Capturing "successful login + wrong location" helps you prioritize real threats. If you block pre-auth, you'd never know Alice's account was compromised.
Putting geo-checks after authentication gives you precise control over whom, exactly, is logging in from where, and offers richer data for your security monitoring.
Since the system is hosted on Azure, I guess we are talking about an Entra ID login. So I think they set up a Conditional Access [1] that can blocks logins based on the country IP. These policies run after authentication and can be specific to a user.
Why does someone from Russia want access to NLRB data, and why would DOGE be immediately leaking just-granted NLRB login credentials to Russian assets when it would be trivially traceable back to them, and if they were in fact granted untraceable/unlogged admin credentials, could legitimately download the data themselves and simply hand it over to said Russian assets if that was their actual intention?
It's not behavior that makes any sense assuming even a semi-rational/intelligent actor.
> Why does someone from Russia want access to NLRB data
It has details of labor disputes. Which if you’re Russia who thrives on fostering conflict in the US would be an ideal data set.
> Why would DOGE be immediately leaking just-granted NLRB login credentials to Russian assets
Because they are young, highly inexperienced engineers who have been tasked with rolling out their LLM system as quickly as possible. Their priority is not security.
Your argument is that they are so inexperienced and insufficiently monitored that they immediately leaked just-granted NLRB login credentials (how?) to Russia, while rolling out an LLM system (what system?), and the Russian assets that acquired those credentials were so inept that they risked their access — and had their logins rejected — by immediately attempting to use them directly from a Russian IP block?
Furthermore, that the NLRB data would somehow be of sufficient value to Russian state actors to justify risking burning their access to DOGE employees/data/credentials through frankly idiotic OPSEC, despite there being much higher value targets than the NLRB?
c) DOGE under its current form will end in the next weeks/months as Musk moves on. So if you’re Russia the best bet is to get as much data now as you can.
> Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating.
Explains this:
> why would DOGE be immediately leaking just-granted NLRB login credential
The implication is that the credentials were for more than this specific system. It's entirely feasible that a bad actor would immediately try to vacuum up as much data from as many systems as possible, it's just that this system had a geo block that made it clear this was happening.
I don't think we need to assume that this was a targeted attack on this specific NLRB system, just that this specific NLRB system was the one that caught the attempts.
Probably the least expected location to connect from, if it was genuine. Not saying it necessarily isn't, but it's not usual either and doesn't make much sense.
Right?.. Primorskiy Krai, official population 1.8M, of which the largest city of Vladivostok accounts for 600k and the next three largest cities for about 400k more, and the rest of the settlements are below 50k inhabitants each. China (Heilongjiang) to the west, North Korea to the south, Japan (Hokkaido) to the east. Literally six times closer to Tokyo than to Moscow (and only a bit closer to Moscow than to Vancouver), connected to Moscow by the longest train route in the world (six to seven days). A reputation for fierce independence and old Japanese left-hand-drive cars. That Primorskiy Krai.
For others that have problems with this, there is an Internet and Technology Addicts Anonymous group that has helped me quiet a bit. See here: https://internetaddictsanonymous.org/
reply