Related: https://infosec.exchange/@briankrebs/114083485241630234

Excerpt: "How much more proof do we need that this administration is completely compromised? There is zero reason for the US to relax any offensive digital actions against Russia. If anything, we should be applying more."

I would have thought that a Russian state sponsored attack would trivially mask the IP to originate from within the USA. This is just brazen.

> guesses for best possible interpretion? The Russians have infiltrated their PCs with keyloggers and DOGE are working from insecure open networks

They were accessing Github over the internet from superuser accounts they were presumably also using as their user account. Given the code quality, I doubt their opsec is put together, either.

Don't forget the third option: false flag.

The objective may not have been to obtain access or any useful data. The objective may have been to get the scary headlines about Russians and use the existing media and political agitprop to further destabilize the government you seek to color revolution away.

Isn't it just that the IP router happens to use IPs in Russia as part of the rotation?

If they're trying to exfiltrate data, they might want to rotate through IP addresses in order to obfuscate what's going on or otherwise circumvent restrictions. Using a simple ip rotator like the post talks about would maybe be an approach they'd use. If they're not careful with the IP addresses, once in a while one might get caught due to some restriction like being outside the US. It'd maybe appear as though you're getting these weird requests from Russia, but that's just because you're not logging the requests that are not being flagged from the US.

Maybe I'm reading the post incorrectly though (if so, please correct me!)

Best case scenario those kids were duped into giving out credentials to the wrong (Russian) people.

> Any guesses for best possible interpretion? The Russians have infiltrated their PCs with keyloggers [...]

Best possible case I see would be that the whistleblower has made some mistake (or is being intentionally dishonest). Seems plausible for instance that "it appeared they had the correct username and password" based on "our no-out-of-country logins policy activating" could just be a misunderstanding of how/when the policy triggers. Not to say it's the most likely explanation, just the least concerning one.

I think less concerning than keyloggers, while still assuming the whistleblower is correct, would be that a DOGE employee was using a VPN/proxy/Tor. Probably not a great idea to have traffic going through a hostile nation state even with encryption, but less bad than keyloggers on their machines stealing and trying credentials within minutes.

Definitely concerning though, to be clear - just steelmanning/answering the question of best possible interpretation.

Yeah, like the APT that compromised O365 accounts from US gov entities a year or so ago, using residential proxies to go around Conditional Access Policies..., is now logging in straight from the Kremlin. :D

How dumb would Russian hackers be to not use some kind of vpn? My friend who lives in Russia says that without vpn he can not access majority of USA sites so he has it always on be default. Something to is not right or these people are very very dumb.

Spearfishing then some kind of spyware on the system would be my guess.

Though with nation state actors you can't rule out Pegasus like zero-click infiltrations.