The U.S. Federal Bureau of Investigation (FBI), along with the domestic Cyber National Mission Force and several international intelligence agencies, have uncovered a sophisticated Russian-backed operation that used an artificial intelligence-powered bot farm to spread disinformation on social media platforms.
The agencies – which included international partners such as the Netherlands General Intelligence and Security Service and the Canadian Centre for Cyber Security – have released a joint advisory to warn social media companies about Russian state-sponsored actors employing the Meliorator software for malign influence activity in foreign nations and the United States. While currently focused on X (formerly Twitter), analysts believe the tool’s developers intend to expand to other platforms.
Meliorator Bot Farm Characteristics and Capabilities
The Meliorator tool creates bot persona ‘souls’ (false identities) with varying levels of information on their profiles and relevant ‘thoughts’ (automated actions). The first bot archetype has complete profiles, including a profile photo, cover photo, and biographical data, while the second archetype has very little information. The third archetype appears real by generating a lot of activity and garnering followers.
The bot personas are capable of deploying content similar to typical social media users, mirroring disinformation from existing bot personas, perpetuating specified pre-existing false narratives, and formulating messaging based on the specific archetype of the bot.
To avoid detection, the creators of the Meliorator tool used various obfuscation techniques, including IP address obfuscation, bypass of dual factor authentication, and modification of browser user agent strings to appear more consistent. The bot personas also follow genuine accounts reflective of their political leanings and interests listed in their biography, making them appear more authentic to viewers.
The tool has been used by FSB services since 2022 to generate mass quantities of social media profiles that appear to be authentic. The software includes an administrator panel called “Brigadir” and a seeding tool named “Taras,” which contains backend files to control the personas used to spread disinformation. These “souls” are stored in a MongoDB database for easy manipulation.
Operators access Meliorator through virtual network computing that is hosted at dtxt.mlrtr[.]com using project management software from Redmine.
Justice Department Seizes Associated Domains
In relation to the joint action by intelligence agencies, the U.S. Justice Department announced the seizure of two related domain names, and 968 social media accounts used in malign influence operations. According to the press release, the bot farm was developed by an individual identified as Individual A, who worked as the deputy editor-in-chief at RT, a state-run Russian news organization.
In early 2022, when RT leadership sought to develop alternative means for distributing information beyond traditional news broadcasts, Individual A had led the development of software to create and operate a social media bot farm, with the capability of creating fictitious online personas on a wide-scale basis to advance the mission of the FSB and the Russian government.
The bot farm’s operators used the network to spread disinformation on various topics, including the Russia-Ukraine conflict. These included videos in which President Putin justified Russia’s actions in Ukraine, and claims that certain areas of Poland, Ukraine, and Lithuania were “gifts” to those countries from the Russian forces that liberated them from Nazi control during World War II.
The bot farm was also used to spread videos claiming that the number of foreign fighters fighting for the Ukrainian forces was significantly lower than public estimates. Deputy Attorney General Lisa Monaco stated, “Today’s action demonstrates that the Justice Department and our partners will not tolerate Russian government actors and their agents deploying AI to sow disinformation and fuel division among Americans.”
“As malign actors accelerate their criminal misuse of AI, the Justice Department will respond and we will prioritize disruptive actions with our international partners and the private sector. We will not hesitate to shut down bot farms, seize illegally obtained internet domains, and take the fight to our adversaries,” she added.
The FSB’s use of U.S.-based domain names, which the software used to register the bots, violates the International Emergency Economic Powers Act. In addition, the accompanying payments for that infrastructure violate federal money laundering laws.
X (formerly Twitter) took action to voluntarily suspend bot accounts identified in the investigation for violation of its terms of service. The FBI worked with cybersecurity agencies from Canada, the Netherlands and other partners to analyze the bot farm‘s technology.
The Justice Department has released a joint cybersecurity advisory on the research findings of the intelligence agencies, allowing social media platforms and researchers to identify and prevent further use of the technology.
The publication includes IP addresses, SSL certificates, mail server domains, and related details associated with the infrastructure of the Meliorator bot network.
