My Knowledge Base

Nnsa and Doge

3 min read

Nnsa and Doge

2025 07:52 PM

Feb

Farritor was granted access to basic IT including email and Microsoft 365, one of the people said. The chief information office only does a small amount of IT and cybersecurity work for the National Nuclear Security Administration, they said, including providing connectivity and running basic internet services for NNSA’s headquarters. It does not run IT systems for the nuclear agency’s labs controlling the nation’s nuclear stockpile.

installed a different SpaceX engineer, Ryan Riedel, as chief information officer, three people familiar with the matter told CNN — the department’s top IT official charged with managing tech acquisitions and protecting personnel data across a vast bureaucracy

Nuclear Concerns Five Eyes

DOGE staffers were granted acces to DOE systems obmver the objections of counsel

“He’s not cleared to be in DOE, on our systems. None of those things have been done.”

https://www.cnn.com/2025/02/06/climate/doge-energy-department-trump

when did the nnsa firings happen? if so that means farritor accessed nnsa

Hackers given access without proper clearance, fired NNSA workers meaning access to the data, access to comms between nuclear labs and weapons storage facilities

what it means

assess with high or medium confidence that inside threat was on nnsa hq networks in feb

by april accessing secret nuclear systems

by july, a zero day on prem sharepoint vuln exploited by china

I assess with high confidence that this network represents a sophisticated international data smuggling operation delivering sensitive US intelligence to multiple adversaries, including Russia and China

The administrator of this network is a high ranking DOGE official who had wide-ranging access to US federal systems in the time period this data was observed.

It must be assumed that any/all US intelligence held at that time (find which agencies by feb they did) is compromised and in the hands of Russia, China, and other unknown entities.

proof of concept

  1. BGP hijacking — mass announcement of reserved but unallocated IP ramge 63.x.x By observing spikes in BGP announcements, we can estimate exact dates of major exfiltration events

  2. Having obtained admin credentials, attacker runs a BadUSB attack on victim machine. Creates master database of all target assets

  3. Attacker connects to US node as first hop (isnt bgp related to final dest?)

  4. Traffic proxied around the world, however egress is 1.5 times larger than ingress in feb and 26 times larger in August. Indicates data going to multiple destinations.

  5. Establish SSH connection w German/Netherlands servers, also controlled by Coristine.

other of note

NNSA breached by zero day sharepoint vuln. on prem only. what recon wld have been nec for dev of this? cld farritor tell them intel on what nnsa uses?

commvault attack chain revealed in april 2025, was not patched until August, implying some exploitation event that necessitated public patch release.

if admin creds obtained, attackers cld move laterally to different gov cloud tenants (i think separate from on prem sharepoint vuln right?

Backlinks