Comment by cyberjerkXX
15 hours ago
Hello, I work in incident response and cyber forensics within the private sector and as a government contractor. I'm familiar with the government contracting company that currently holds the SOCaaS contract with the NLRB - it's MindPoint Group. They share the a SOC with the DOJ. I reviewed the whistleblower’s evidence, and I have significant doubts about his claims.
Firstly, anyone claiming that "the whole government is compromised" is being conspiratorial. Breaches of this nature are reportable to CISA (US-CERT), the DOJ, local law enforcement, and the FBI. The NLRB has its own cybersecurity incident response team, which includes legal counsel. If both the NLRB and US-CERT determined that this wasn’t a reportable incident then I trust their judgment.
Secondly, I’ve seen a lot of speculative commentary about the Russian IP allegedly logging into the DOGE account. A simple OSINT investigation reveals that this IP has had a negative reputation for over a year, specifically flagged for credential stuffing and scanning activity. Credential stuffing is a common tactic when credentials have been leaked or breached, often showing up on platforms like intelx.io, DeHashed, or BreachForums.
It's also worth noting: no serious nation-state actor would use an IP with such a known bad reputation. Doing so would risk burning any operational investment they’ve made. Nation-state actors almost always use clean infrastructure or proxy chains to conceal their activity.
The timeline the whistleblower presents spans two months, yet I find his interpretation of the activity speculative without hard evidence—especially considering he admits he does not possess the actual logs. That’s a huge red flag.
Thirdly, I tried to find the whistle blower’s official title, and it’s usually hidden in the media. In his official report he states that he is a Dev Sec Ops engineer. He also claims that he lost access to privileges – but the emails in the screen shot seemed to be a zero-trust/principle of least privileges hardening effort. That’s not suspicious to me.
Fourth, the screenshots the whistleblower provided of the Azure environment appeared extremely sparse. While I don’t know the exact size of the NLRB’s infrastructure, unless it's unusually small, I would expect to see more resources. From what I reviewed, the Azure dashboards he used had no filters applied, which raises the question—why are there no other subscriptions, VMs, load balancers, WAFs, etc., visible?
Regarding the DLP policy alerts, he could have easily shown the associated data. Interestingly, the alerts were labeled “test,” which is significant—but he chose not to address or explain that. Omitting that context makes the evidence less compelling. He also leaves out basic critical Indicators of Compromise (IOCs) like src_ip, src_port, dest_ip, dest_port, bytes, and duration. I’m not expecting him to extract mutex and environment variables but showing the basics would be convincing enough consider all they would have been accessible to him from the dashboards he screenshots in the document.
Finally, his claim that the NLRB doesn’t have a SIEM is demonstrably false. The NLRB shares a SIEM with the DOJ, which is operated by MindPoint Group under a SOCaaS contract.
Here’s my general take on the situation: The whistleblower had only been with the organization for six months and served as a mid-level DevSecOps engineer—not a security analyst, incident responder, or SOC analyst. After DOGE was announced, the NLRB began implementing Zero Trust principles and the Principle of Least Privilege. This is typical hardening. As a result, his old admin access which was over provisioned and no longer necessary for his role—was revoked. He panicked. Still having access to some Azure tools, he could have used a test or dev environment (referencing the sparse number of resources in the screenshot but he claimed it to be prod with no filter), toggled a few settings, took screenshot, and constructed a narrative around it. He escalated it to the CEO, who initially listened. However, the incident response team conducted an investigation and found nothing substantiating his claims. NLRB and US-CERT determined it to not be reportable, or which indicates that if it was a security event it was not an incident.
As for the Russian IP, it may be real—but it’s clearly tied to credential stuffing activity, not a sophisticated threat actor. If it genuinely accessed a DOGE account, that would indicate a breach on the DOGE side or weak password hygiene. But again—as mentioned earlier—he doesn’t have the logs to back this up, and his reasons for that are unconvincing. #Doubt.
Can you explain why a GitHub repo for IP rotating and tied to a prominent DOGE member was downloaded and then deleted?
I can explain why I doubt him.
The evidence supporting his claim is a screenshot of an Excel spreadsheet with several columns excluded. It appears to have been exported from the DeviceProcessEvents table within the advanced threat hunting schema. However, he failed to provide the threat hunting dashboard view, which would include critical context such as the process tree, MD5 hash, account SID, account domain, and process creation time. Given that he clearly has access to Microsoft Defender XDR or Defender for Endpoint, he has the capability to conduct a thorough investigation. Yet, he did not do so, nor did he include that information in his legal submission. As a result, I find his claims unconvincing.
As for the forked repo deletion - I have no clue. It seems like the repo was already well known. I'm not a dev so I'd defer to a dev's opinion here. The system owner could be function testing, fuzzing, performance testing, ect. Why didn’t he show the process tree, the system name, and netflow to prove that system running code was interacting with prod? – He clearly has access to Azure tools that would allow him to do that.