Maybe you should be advocating for the 194 member states of the WHO to contribute more so the world doesn't need to rely on the political winds of the US election cycle.

The evidence supporting his claim is a screenshot of an Excel spreadsheet with several columns excluded. It appears to have been exported from the DeviceProcessEvents table within the advanced threat hunting schema. However, he failed to provide the threat hunting dashboard view, which would include critical context such as the process tree, MD5 hash, account SID, account domain, and process creation time. Given that he clearly has access to Microsoft Defender XDR or Defender for Endpoint, he has the capability to conduct a thorough investigation. Yet, he did not do so, nor did he include that information in his legal submission. As a result, I find his claims unconvincing.

As for the forked repo deletion - I have no clue. It seems like the repo was already well known. I'm not a dev so I'd defer to a dev's opinion here. The system owner could be function testing, fuzzing, performance testing, ect. Why didn’t he show the process tree, the system name, and netflow to prove that system running code was interacting with prod? – He clearly has access to Azure tools that would allow him to do that.

Firstly, anyone claiming that "the whole government is compromised" is being conspiratorial. Breaches of this nature are reportable to CISA (US-CERT), the DOJ, local law enforcement, and the FBI. The NLRB has its own cybersecurity incident response team, which includes legal counsel. If both the NLRB and US-CERT determined that this wasn’t a reportable incident then I trust their judgment.

Secondly, I’ve seen a lot of speculative commentary about the Russian IP allegedly logging into the DOGE account. A simple OSINT investigation reveals that this IP has had a negative reputation for over a year, specifically flagged for credential stuffing and scanning activity. Credential stuffing is a common tactic when credentials have been leaked or breached, often showing up on platforms like intelx.io, DeHashed, or BreachForums.

It's also worth noting: no serious nation-state actor would use an IP with such a known bad reputation. Doing so would risk burning any operational investment they’ve made. Nation-state actors almost always use clean infrastructure or proxy chains to conceal their activity.

The timeline the whistleblower presents spans two months, yet I find his interpretation of the activity speculative without hard evidence—especially considering he admits he does not possess the actual logs. That’s a huge red flag.

Thirdly, I tried to find the whistle blower’s official title, and it’s usually hidden in the media. In his official report he states that he is a Dev Sec Ops engineer. He also claims that he lost access to privileges – but the emails in the screen shot seemed to be a zero-trust/principle of least privileges hardening effort. That’s not suspicious to me.

Fourth, the screenshots the whistleblower provided of the Azure environment appeared extremely sparse. While I don’t know the exact size of the NLRB’s infrastructure, unless it's unusually small, I would expect to see more resources. From what I reviewed, the Azure dashboards he used had no filters applied, which raises the question—why are there no other subscriptions, VMs, load balancers, WAFs, etc., visible?

Regarding the DLP policy alerts, he could have easily shown the associated data. Interestingly, the alerts were labeled “test,” which is significant—but he chose not to address or explain that. Omitting that context makes the evidence less compelling. He also leaves out basic critical Indicators of Compromise (IOCs) like src_ip, src_port, dest_ip, dest_port, bytes, and duration. I’m not expecting him to extract mutex and environment variables but showing the basics would be convincing enough consider all they would have been accessible to him from the dashboards he screenshots in the document.

Finally, his claim that the NLRB doesn’t have a SIEM is demonstrably false. The NLRB shares a SIEM with the DOJ, which is operated by MindPoint Group under a SOCaaS contract.

Here’s my general take on the situation: The whistleblower had only been with the organization for six months and served as a mid-level DevSecOps engineer—not a security analyst, incident responder, or SOC analyst. After DOGE was announced, the NLRB began implementing Zero Trust principles and the Principle of Least Privilege. This is typical hardening. As a result, his old admin access which was over provisioned and no longer necessary for his role—was revoked. He panicked. Still having access to some Azure tools, he could have used a test or dev environment (referencing the sparse number of resources in the screenshot but he claimed it to be prod with no filter), toggled a few settings, took screenshot, and constructed a narrative around it. He escalated it to the CEO, who initially listened. However, the incident response team conducted an investigation and found nothing substantiating his claims. NLRB and US-CERT determined it to not be reportable, or which indicates that if it was a security event it was not an incident.

As for the Russian IP, it may be real—but it’s clearly tied to credential stuffing activity, not a sophisticated threat actor. If it genuinely accessed a DOGE account, that would indicate a breach on the DOGE side or weak password hygiene. But again—as mentioned earlier—he doesn’t have the logs to back this up, and his reasons for that are unconvincing. #Doubt.

My first doubt - the NLRB has a SOC ran by an MSSP/government contractor. Data destruction events and anomalous connections would 10000% cause security event alerts to trigger. Sentinel has OOB detection for anomalies for events that the whistle blower states in the article.

My Second doubt - CISA and US-CERT are not a bunch for scrubs. If their official statement is that it's not a security incident then I trust them.

Third doubt - If you see something suspicious then you have every right to report it to the SOC, and contain the suspicious activity to the best of your ability. If you don't have permissions then report it to the SOC. All malicious activity gets investigated (unless the MSSP is a joke but then they become liable and will get sued if it turns into an incident that results in damages).

Fourth doubt - Kerbs and the whistleblower are framing this as a sophisticated nation-state attack leveraging DOGE to exploit the NLRB. But that doesn’t add up. Nation-state actors don’t blow their cover because they proxy with clean IPs from within the target country. The IP address in question (83.149.30[.]186) has had a bad reputation in open-source intelligence for over a year, linked to credential stuffing and scanning activity. Using an IP like that in a high-level operation is like flying a spy plane into enemy airspace with inflatable tube men and disco balls strapped to the wings. Attacks of this complexity require significant time and resources—no serious actor would risk burning their investment by using an IP already flagged and based in Russia.

Last doubt - The "Security Engineer" took a screenshot of the user names then gave it to the media....You're expecting me to trust what you say while you commit a data leak - nice one.

Also...

The idea that wealth hoarding inherently leads to inequality is flawed. If by “wealth” you mean capital, then unused capital doesn't distort markets or hinder wealth creation. If you're referring to wealth hoarding in the form of monopolies, it's important to note that monopolies tend to fail in truly free markets. Without innovation, they can't sustain themselves—unless they rely on government coercion to maintain control.

Government coercion is the primary force that inhibits both wealth creation and healthy competition. Overregulated markets and protectionist policies stifle innovation and prevent new players from entering the market. The most corrupt governments and corporations benefit from these systems because they reinforce existing power structures and shield them from competition.

It's easy to spot political tribalism - just reference the comments here. They ultimately misrepresent, and have never tried to understand, their opposition's political position. It's kind of sad because it allows them to be manipulated by propaganda and political powers much like my antifa friend.

Fascism does not care about ethnicity. Fascism is Anti-Capitalist Anti-Socialist. It cares about the collective. It thinks some capitalist mechanisms are important but it must be under the state control.

Nazism may function similar to Fascism as is also Anti-Capitalist and Anti-Socialist but it requires German Mysticism. German Mysticism pins the idea of Aryanism to rule.

This is all besides the point - it is not 1933 - what is happening is nothing like 1933 - Their policies are not even close to 1933 - your failure to recognize that prevents you from seeing the actual issues and offer real solutions. This is why Trump won the majority vote. Stop using thought stopping clichés

Once again - wake me up when they ban political parties, centralized power to the federal government, install political officers in the public and private sectors, and ban capitalism.

You may not like it - but his constituents elected him to defund, or try to (congress is really the only people who can), those politically bias programs. This is how democracy works.

Musk and Trump - are well within the bounds of Liberalism. They may not be John Rawls. Trump is a Neo-Liberal protectionist. Musk tends to be more classical liberalism.