7
English
Afrikaans
Albanian
Amharic
Arabic
Armenian
Azerbaijani
Basque
Belarusian
Bengali
Bosnian
Bulgarian
Catalan
Cebuano
Chichewa
Chinese (Simplified)
Chinese (Traditional)
Corsican
Croatian
Czech
Danish
Dutch
Esperanto
Estonian
Filipino
Finnish
French
Frisian
Galician
Georgian
German
Greek
Gujarati
Haitian Creole
Hausa
Hawaiian
Hebrew
Hindi
Hmong
Hungarian
Icelandic
Igbo
Indonesian
Irish
Italian
Japanese
Javanese
Kannada
Kazakh
Khmer
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latin
Latvian
Lithuanian
Macedonian
Malagasy
Malay
Malayalam
Maltese
Maori
Marathi
Mongolian
Myanmar (Burmese)
Nepali
Norwegian
Pashto
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Samoan
Scottish Gaelic
Serbian
Sesotho
Shona
Sindhi
Sinhala
Slovak
Slovenian
Somali
Spanish
Sudanese
Swahili
Swedish
Tajik
Tamil
Telugu
Thai
Turkish
Ukrainian
Urdu
Uzbek
Vietnamese
Welsh
Xhosa
Yiddish
Yoruba
Zulu
Berulis described some shortcomings in the NLRB's ability to detect attacks.
"During one of these meetings, it was confirmed that our team did not have the technical capability to detect or respond in real time to internal threat actors, and that we likely did not have the ability to obtain more details about the past events," he wrote.
The department subsequently "shifted budget to allow for better tooling going forward," which "has vastly improved our detection and logging so we can provide more concrete evidence if covert exfiltration occurs by an insider threat again," Berulis wrote.
"We also shut down a public endpoint and corrected rogue policies that had been altered to allow much broader traffic in/out of our network."On March 10, Berulis found that controls in Microsoft Purview to prevent insecure or unauthorized access from mobile devices had been disabled, he wrote.
"In addition, outside of expected baselines and with no corresponding approvals or records I could find I noted the following: an interface exposed to the public Internet, a few internal alerting and monitoring systems in the off state, and multi-factor authentication changed," he wrote.The team observed more odd activity in the ensuing weeks, Berulis wrote.
Data was sent to "an unknown external endpoint," but the network team was unable to obtain connection logs or determine what data was removed, he wrote.
There were also "spikes in billing in Mission Systems related to storage input/output" associated with projects that could no longer be found in the NLRB system, indicating that "resources may have been deleted or short-lived," he wrote.During the week of March 24, an assistant CIO for security at the NLRB "concluded that following a review of data, we should report it" to US-CERT, the US Computer Emergency Readiness Team at the Cybersecurity and Infrastructure Security Agency (CISA), according to Berulis."Accordingly, we launched a formal review and I provided all evidence of what we deemed to be a serious, ongoing security breach or potentially illegal removal of personally identifiable information," he wrote.But on April 3 or 4, the assistant CIO "and I were informed that instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report," Berulis wrote.
