WingNews logo WingNews
top | item 43760930

(no title)

Red_Tarsius | 10 months ago

Cybersecurity is not my main field but this sounds beyond suspicious.

> Berulis [...] and his colleagues grew even more alarmed when they noticed nearly two dozen login attempts from a Russian Internet address (83.149.30,186) that presented valid login credentials for a DOGE employee account — one that had been created just minutes earlier. Berulis said those attempts were all blocked thanks to rules in place that prohibit logins from non-U.S. locations.

> “Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating,” Berulis wrote. “There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers.”

Somehow each paragraph reveals something even worse than the last.

> Berulis [...] and the associate CIO were informed that “instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report.” Berulis said it was at this point he decided to go public with his findings.

discuss

order

perihelions|10 months ago

I think it's relevant context DOGE employees were very recently operating commercial web domains in Russia,

https://krebsonsecurity.com/2025/02/teen-on-musks-doge-team-...

- "“Tesla.Sexy LLC controls dozens of web domains, including at least two Russian-registered domains,” Wired reported. “One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market. While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review.”"

edit: Here's the old HN thread,

https://news.ycombinator.com/item?id=42981756 ("Teen on Musk's DOGE team graduated from 'The Com' (krebsonsecurity.com)" — 1895 comments)

RajT88|10 months ago

This administration colluding with Russia? I feel like we tried to get people to care about that before.

_fat_santa|10 months ago

What is interesting to me is how those two things are mixing. Theoretically any one of us could own a russian domain and any one of us could get a job at NLRB (or another gov agency) but our jobs and our ownership of that domain are two entirely separate things.

What's interesting here is how these two things are seemingly mixing. At this point I have two pet theories:

- One of the DOGE staffers is a Russian agent: This one I'm putting in the camp of "highly highly unlikely" but still possible given those login attempts from Russia.

- The more likely theory is this is just some braindead attempt to "own the libs". If we look back 6-8 years to when all the Trump Russia stuff came out and turned into a nothingburger. This could be some idea like: "Yo I've got this VM in Russia, let's own the libs and make them thin the Russians are invading again!"

- It could also be completley innocouous. Like right now I have a Mullvad VPN setup on my machine that points to Algeria. Ubuntu will auto start this VPN at login. What if one of DOGE staffers just happened to have a VPN running with an exit in Russia when they tried logging in.

Tireings|10 months ago

Especially how long does it take for them to get a non Russian ip

ajsnigrutin|10 months ago

Russian IPs are used, because russia won't help the american authorities with investigations. If I was an american and hacking into <whatever american thing>, I'd use russian IPs too.

dagaci|10 months ago

Russian IPs were in the pool because it never occurred to them to check where these IPs were geo registered

rurban|10 months ago

Or, very unlikely but maybe, the DOGE employee used this new account to attempt to login via a Russian VPN just to test security. Still very unlikely, because they were not interested in security at all.

Cthulhu_|10 months ago

DOGE's mission isn't pentesting though, there's other federal agencies for that, like the article mentions, US-CERT operated by Homeland Security.

Homeland Security and co need to step in, but they're controlled by hostile agents.

_heimdall|10 months ago

The article mentioned that traces of a few GitHub repos were found. One of the READMEs left behind described a tool used to create a multihop network to hide the original source.

Seems plausible that they could have used that tool when logging in and it happened to bounce off a Russian IP.

1659447091|10 months ago

> more than 20 such attempts

If I am testing a login I don't need 20+ failed attempts to know it's not working. Sometimes the simple answer is the correct one. The series of events does not read as someone, whose job has been reported to disable security and demand root access to systems, testing the already in place login system to make sure Russian IPs (specifically) can not log in.

FranzFerdiNaN|10 months ago

Lets be honest: they are compromised. Musk is compromised. Trump is compromised. They are all traitors who are selling America out. It took almost four decades but Russia is winning the cold war after all, without firing a shot.

b112|10 months ago

This sounds very weird.

If you're blocking non-US IPs, you trpically block at the IP layer, before a login attempt can even begin.

Why allow someone to even log in at all?

ffsoftboiled|10 months ago

If the intent is to collect foreign IPs attempting login - you could block it down the chain. Lots of intelligence reasons to do this.

crtasm|10 months ago

If you block outright an adversary has reason to try another IP. If you allow the attempt then show a standard "login failed" page they have less information to go on.

filcuk|10 months ago

Not necessarily. One could have a gov site allowing anyone to view it, but have stricter rules on a /login path, HTTP POST, auth header, or it could have been blocked by some compny-wide safety layer that manages this stuff semi-automatically. But that's just a speculation.

ocdtrekkie|10 months ago

So the default behavior of a Fortigate is to allow you to apply an access policy to the VPN tunnel itself, which can easily be a geoblock, but the local-in policy where the remote is actually authenticating against the firewall is much harder to change.

Not saying this is a Fortigate or that the federal government didn't change the low effort configuration, but it's certainly not unusual, Fortinet is a huge presence.

kissiel|10 months ago

maybe to detect that the valid credentials are leaked / used in the wilds?

mikeocool|10 months ago

Auth providers (like Okta for example) often do the geo-blocking at level 7 -- because if you know the login being used, you can then lock the account that is being accessed from a blocked region.

dagaci|10 months ago

Remember these are elons are script kiddie hackers, it only occurred to disable the outer firewall, azure ad will independently geoip block all by itself

trkaky|10 months ago

or person forgot to switch of the vpn

tyingq|10 months ago

What's the typical use case for a DOGE employee to have a Russian VPN setup on their work PC?

only-one1701|10 months ago

Totally an honest mistake! It’s ok because the stakes are really low; not like it’s the US government!