| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by Red_Tarsius 417 days ago

Cybersecurity is not my main field but this sounds beyond suspicious.

> Berulis [...] and his colleagues grew even more alarmed when they noticed nearly two dozen login attempts from a Russian Internet address (83.149.30,186) that presented valid login credentials for a DOGE employee account — one that had been created just minutes earlier. Berulis said those attempts were all blocked thanks to rules in place that prohibit logins from non-U.S. locations.

> “Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating,” Berulis wrote. “There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers.”

Somehow each paragraph reveals something even worse than the last.

> Berulis [...] and the associate CIO were informed that “instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report.” Berulis said it was at this point he decided to go public with his findings.

5 comments

perihelions 417 days ago

I think it's relevant context DOGE employees were very recently operating commercial web domains in Russia,

https://krebsonsecurity.com/2025/02/teen-on-musks-doge-team-...

- "“Tesla.Sexy LLC controls dozens of web domains, including at least two Russian-registered domains,” Wired reported. “One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market. While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review.”"

edit: Here's the old HN thread,

https://news.ycombinator.com/item?id=42981756 ("Teen on Musk's DOGE team graduated from 'The Com' (krebsonsecurity.com)" — 1895 comments)

RajT88 417 days ago

This administration colluding with Russia? I feel like we tried to get people to care about that before.

_fat_santa 417 days ago

What is interesting to me is how those two things are mixing. Theoretically any one of us could own a russian domain and any one of us could get a job at NLRB (or another gov agency) but our jobs and our ownership of that domain are two entirely separate things.

What's interesting here is how these two things are seemingly mixing. At this point I have two pet theories:

- One of the DOGE staffers is a Russian agent: This one I'm putting in the camp of "highly highly unlikely" but still possible given those login attempts from Russia.

- The more likely theory is this is just some braindead attempt to "own the libs". If we look back 6-8 years to when all the Trump Russia stuff came out and turned into a nothingburger. This could be some idea like: "Yo I've got this VM in Russia, let's own the libs and make them thin the Russians are invading again!"

- It could also be completley innocouous. Like right now I have a Mullvad VPN setup on my machine that points to Algeria. Ubuntu will auto start this VPN at login. What if one of DOGE staffers just happened to have a VPN running with an exit in Russia when they tried logging in.

Tireings 417 days ago

Especially how long does it take for them to get a non Russian ip

ajsnigrutin 417 days ago

Russian IPs are used, because russia won't help the american authorities with investigations. If I was an american and hacking into <whatever american thing>, I'd use russian IPs too.

darkerside 417 days ago

Couldn't you route through a Russian IP for anonymity and then a US IP for access?

dwattttt 417 days ago

It's not anonymous if the US IP has a real life connection to you.

tom1337 417 days ago

I think what the original commenter meant was a multi-hop setup like this:

You -> Russian IP -> US IP

then you'd get anonymity via the Russian hop but aren't geoblocked due to your final hop being in the US.

tgsovlerkhgsel 417 days ago

I'm sure there's at least one VPN service that has US IPs and takes Monero.

XorNot 417 days ago

I'm almost certain US law enforcement, at least until recently, would've directly operated such a service.

In the same way that it's relatively easy to find a hitman on the dark web, it's considerably harder for them to actually not be law enforcement.

mcmcmc 417 days ago

Mullvad

dagaci 417 days ago

Russian IPs were in the pool because it never occurred to them to check where these IPs were geo registered

sanderjd 417 days ago

Yep, pretty much impossible to disentangle careless incompetence from malevolence with these goons.

daveguy 417 days ago

Yup. That's what they're counting on.

rurban 417 days ago

Or, very unlikely but maybe, the DOGE employee used this new account to attempt to login via a Russian VPN just to test security. Still very unlikely, because they were not interested in security at all.

Cthulhu_ 417 days ago

DOGE's mission isn't pentesting though, there's other federal agencies for that, like the article mentions, US-CERT operated by Homeland Security.

Homeland Security and co need to step in, but they're controlled by hostile agents.

andy_ppp 417 days ago

Haha, have you never worked with a prolific junior that wants power and openly questions everything you do, their role and any limitations you place on them. These kids won’t care it’s not their remit.

rurban 417 days ago

What is the procedure with such a hostile takeover then? Army or National Guards should intervene to re-instate national security.

int_19h 417 days ago

Under whose authority? The president is still commander-in-chief, unless and until impeached

rurban 417 days ago

If the president is behind all that, there are proper command chains to deal with such a scenario. Democracy is about checks and balances. The US is by far not a democracy anymore, but still calls itself so.

int_19h 416 days ago

The "proper chain" for this scenario is either Congress impeaching the president, or the vice president triggering the 25th Amendment.

Unfortunately, the Republicans in Congress refuse to do so and pretend that everything is fine, and the vice president is the president's lackey.

As far as I know, we don't have any other legal mechanisms to remove the president from his position as commander-in-chief. If you know of any, I'd love to hear more about them.

_heimdall 417 days ago

The article mentioned that traces of a few GitHub repos were found. One of the READMEs left behind described a tool used to create a multihop network to hide the original source.

Seems plausible that they could have used that tool when logging in and it happened to bounce off a Russian IP.

catlikesshrimp 417 days ago

Maybe they successfully identified and blocked all the attacks from Russian IPs, but not the case of other attacks

1659447091 417 days ago

> more than 20 such attempts

If I am testing a login I don't need 20+ failed attempts to know it's not working. Sometimes the simple answer is the correct one. The series of events does not read as someone, whose job has been reported to disable security and demand root access to systems, testing the already in place login system to make sure Russian IPs (specifically) can not log in.

FranzFerdiNaN 417 days ago

Lets be honest: they are compromised. Musk is compromised. Trump is compromised. They are all traitors who are selling America out. It took almost four decades but Russia is winning the cold war after all, without firing a shot.

whamlastxmas 417 days ago

Yes, Trump is both bought by the Russians but also holding to sanctions that cost Russia billions a year. Definite 4D chess move.

lukan 417 days ago

Well, it cannot be too obvious, obviously.

Are you aware of the "krasnow" theory?

I see no proof there, but indeed strong indications to seriously look into it.

paulryanrogers 417 days ago

Trump is trying to get the sanctions lifted. Give him time.

https://www.reuters.com/world/white-house-seeks-plan-possibl...

He does owe Russia for the email hack and leaks that he publicly requested. Not to mention sticking it to Ukraine after they didn't find/fabricate evidence against the Biden family.

Arkhadia 417 days ago

I want to know why your comment isn’t flagged but any dissenting opinion or question from yours will be…. Is that in alignment with American values? Hmm…

daveguy 417 days ago

Freedom of Speech is freedom from the government regulating speech. No one has a constitutional right to fkup a message board with propaganda.

It is unconstitutional when the government does it, like say a president who requires unapproved language be scrubbed from public government sites.

lukan 417 days ago

If the US government would be under russian control, exposing it would likely align with american values.

Also I see no flagged other comment and some people just downvote downvotecommentors.

b112 417 days ago

This sounds very weird.

If you're blocking non-US IPs, you trpically block at the IP layer, before a login attempt can even begin.

Why allow someone to even log in at all?

ffsoftboiled 417 days ago

If the intent is to collect foreign IPs attempting login - you could block it down the chain. Lots of intelligence reasons to do this.

crtasm 417 days ago

If you block outright an adversary has reason to try another IP. If you allow the attempt then show a standard "login failed" page they have less information to go on.

filcuk 417 days ago

Not necessarily. One could have a gov site allowing anyone to view it, but have stricter rules on a /login path, HTTP POST, auth header, or it could have been blocked by some compny-wide safety layer that manages this stuff semi-automatically. But that's just a speculation.

ocdtrekkie 417 days ago

So the default behavior of a Fortigate is to allow you to apply an access policy to the VPN tunnel itself, which can easily be a geoblock, but the local-in policy where the remote is actually authenticating against the firewall is much harder to change.

Not saying this is a Fortigate or that the federal government didn't change the low effort configuration, but it's certainly not unusual, Fortinet is a huge presence.

kissiel 417 days ago

maybe to detect that the valid credentials are leaked / used in the wilds?

Cthulhu_ 417 days ago

Exactly; a valid login attempt from abroad should trigger an immediate account lock and credentials reset for sensitive systems like this.

mikeocool 417 days ago

Auth providers (like Okta for example) often do the geo-blocking at level 7 -- because if you know the login being used, you can then lock the account that is being accessed from a blocked region.

dagaci 417 days ago

Remember these are elons are script kiddie hackers, it only occurred to disable the outer firewall, azure ad will independently geoip block all by itself

trkaky 417 days ago

or person forgot to switch of the vpn

tyingq 417 days ago

What's the typical use case for a DOGE employee to have a Russian VPN setup on their work PC?

masklinn 417 days ago

Logging on to their work account.

Muromec 417 days ago

I can come with at least three:

- forgetting to take anti-paranoia pills

- doing it on purpose to "own the libs"

- doing it on purpose out of curiosity as to how stupid the adults can be in configuring a sensitive system

only-one1701 417 days ago

Totally an honest mistake! It’s ok because the stakes are really low; not like it’s the US government!

kevin_thibedeau 417 days ago

BigBalls has three whole years of experience as a script kiddie. He's got this.