DOGE Track (beta)

National Labor Relations Board

DOGE first arrived at this relatively small and independent agency that ensures that the union rights of workers are protected at the end of February, and they quickly proceeded to do the same scuttling of contracts and termination of employees that they have tried at other agencies under the guide of “IT modernization.” However, it appears they also tried to remove sensitive data from the agency, and thanks to a whistleblower, we are now able to see some sophisticated attacks that were made against IT resourcea at the agency.

Positions

Position Date Person
GSA? NLRB
4/16
 4/16 likely detailed «Spotted by media» Bloomberg
GSA? NLRB
4/16
 4/16 likely detailed Bloomberg

Events

Agency Date Event
1/27
 1/27
President Trump illegally fires the National Labor Relations Board (NLRB) Chair Gwynne Wilcox and General Counsel Jennifer Abruzzo from the agency’s board. This leaves the agency without quorum to act.
 Fulcrum
February 2025
2/20
 2/20
Employees at the NLRB are alarmed to see that DOGE has claimed on its website that it has cancelled the lease for their office in Buffalo, NY.
 Huff Post
c.2/24
 c.2/24
Staffers at the NLRB are informed that DOGE will be arriving at the agency the following week and that they have questions about the agency’s network architecture. (fuzz: The testimony only mentions that this communication happened sometime during that week)
 whistleblower
2/28
 2/28
After a journalist posts info that Jordan Wick’s github profile is public, a staffer an NLRB notices a project of his named NxGenBdoorExtract. The name seems to indicate it’s a tool for exfiltrating data from a sensitive NLRB system named NxGen.
 WRVO
March 2025
3/03
 3/03
A black SUV and police escort bring DOGE staff to the NLRB. The DOGE staff weren’t introduced and didn’t interact with IT staff directly.
 whistleblower
3/03
 3/03
The NLRB Assistant CIO conveys instructions that there are to be no logs or records made of accounts that are created for DOGE staff and they are to be given “tenant”-level accounts with read/write/admin for all systems as part of their auditing work. This level of access exceed existing permissions that would normally be used by auditors.
 whistleblower
3/04
 3/04
NLRB network staff notice the existence of an anomalous container on their network that could be performing unauthorized actions. Its storage tokens have been expired, deterring analysis of what resources it might have accessed.
 whistleblower
3/05
 3/05
NLRB network staff discover that a security tool for watching network traffic within their cloud environment was manually deactivated and was not logging the creation of new network nodes.
 whistleblower
3/05
 3/05
A NLRB network staffer notices a large spike in outgoing network traffic from their network with no corresponding incoming traffic (as might be the case for web traffic hitting the website). He also sees a surge in DNS requests which might be used to hide tunnels for stealing data.
 whistleblower
3/06
 3/06
NLRB network staff an account a DOGE-specific name DogeSA_2d5c3e0446f9@nlrb.microsoft.com that was recently created and then deleted. It seems to have been configured to allow automated scripts to access NLRB’s cloud.
 whistleblower
3/06
 3/06
After various users reported login problems to the service desk, networking staff at NLRB discover that certain conditional access policies had been updated without their awareness. This change was later confirmed to not be the result of any scheduled maintenance.
 whistleblower
3/07
 3/07
Networking staff at NLRB discovered that 3 Github libraries were downloaded in the prior 30 days by DOGE staff at the agency which could be used for scraping high volumes of data and obscuring the source requests.
 whistleblower
3/07
 3/07
Networking staff at NLRB makes a determination that 10GB of data was likly exfiltrated from the NxGen case management system and then outwards from NLRB. Given that this volume of data is likely compressed, it could represent an even larger amount of source data stolen.
 whistleblower
3/11
 3/11
NLRB networking staff notice another surge in system utilization for the NxGen system. This coincides with multiple attempts to connect to the system from an IP address in Russia. Alarmingly, the Russian access is attempting to use an account that was created only 15 minutes earlier by DOGE engineers at the agency.
 whistleblower
3/13
 3/13
NLRB networking staff detect another large transfer of data from NLRB systems to an external endpoint.
 whistleblower
3/19
 3/19
NLRB networking staff observe a spike in billing records from their cloud provider which are seemingly related to systems that are no longer in operation. These likely indicate resources that were short-lived or deleted to cover up tracks.
 whistleblower
c.3/24
 c.3/24
NLRB networking staff make a formal report to US-CERT at CISA of the suspicious activity they had detected from DOGE’s activities at the agency. (fuzz: Source mentions it was on or about this date)
April 2025
4/04
 4/04
CISA informs NLRB networking staff that they should drop any investigation and not move forward on any reporting of the suspicious activity at the agency.
4/14
 4/14
On the day that NPR published a story with the claims of a whistleblower at the NLRB, the Deputy CIO of the agency, Eric Mark, suspends administrative access for all employees, locking the IT staff out of their ability to continue monitoring DOGE’s actions at the agency.
 Krebs on Security
4/16
 4/16
Justin Fox and Nate Cavanaugh are reportedly detailed from the GSA to work at the NLRB over the next few months.
 Bloomberg
May 2025
5/15
 5/15
The NLRB confirms that its Inspector General is looking into the allegations of improper network access and data theft by DOGE.
 FedScoop
June 2025
6/16
 6/16
The top Democrat on the House Oversight Committee sends a letter to Microsoft requesting access and information about Jordan Wick’s now-private Github account, specifically requesting to see details about the NxGenBdoorExtract program.
 NPR
VA
Independents