When I wrote yesterday’s Meliorator Social Botnets I already had, but had not yet reviewed the Meliorator search warrant affidavit. Now that I have I think the investigative tradecraft in here is useful to review for the sake of any future Malign Influence Operations Safari.

Attention Conservation Notice:

This will get very technical pretty quickly. It’s probably just a skim so you know the general outline, but don’t do the gritty detail work with Maltego.

Information Sought Section I:

I have worked a grand total of ONE subpoena response from Twitter and it was for a civil matter. Law enforcement gets much broader information.

• Any verified user information - IDs and the like.

• Usernames used, assuming the account may have renamed.

• Inception of account, in particular any paid blue checks.

• Access device data, which is NOT in civil responses.

• Advertising information.

• IP addresses, ports used, and date/time.

• Account settings including privacy related information.

• All service requests, I presume this includes signs of brigading.

• Section IB. is a demand for the same account export we can all get.

• Who the accounts blocked, muted, etc.

• Community and List creation or membership.

• Link shortening information.

The civil subpoena shows the creation date, email, and IP. You get date/time stamps and IP for each time the account authorizes. This request is so much more complete.

Information Sought Section II:

This is purely about the relationship of the accounts and Russia’s FSB. The things that just out at me here are a) FSB is the operator, so this may be APT29 Cozy Bear d) that’s seeking mens rea, which I find a bit odd given this is espionage related, but maybe some Americans were involved in the creation of the Souls(personas) and Thoughts(issue positions) used.

Application:

This part begins on page 61 of the affidavit.

Item 5 - the domain used, mlrtr.com, was purchased from Namecheap using cryptocurrency, later revealed to be Bitcoin via BitPay.

Item 24 - this is about the foreign registration of domains - now I know the statutes and executive orders that apply to the company that sold domains that are revealed in MIOS: Iran’s PressTV. I have more work to do there.

Item 25 - another U.S. agency, guessing CIA or NSA, identifies RT’s deputy editor in chief as Individual A, and they head RT’s Directorate of Digital Journalism. Given the later statements about the phone used, that seems very NSA to me.

Item 26 - Individual B was the lead developer of the Meliorator sfotware.

Item 28 - FSB Officer 1 created a private intelligence organization (PIO) and recruited others, including Individual A.

Item 29

Item 30 - FSB Officer 1 was directing Individual A - control of RT executive by Kremlin.

Item 35 - key domains are mlrtr[.]com and otanmail[.]com

Item 36 - Domain purchase was Milan Blokhin using a VPN and other assets that made the operation appear to be Lithuanian.

Item 39 - operator goofed, leaked Russian IP right at the persona’s inception.

Item 40 - Email Address 2 was registered under the name Cassandra Rivas.

Item 41 - very old account registered by Marka Djorjic was used for recovery.

Item 42 - Individual B gets made by using a +7 Russian cell phone in the setup.

Item 45 - Swedish VPN in use, that’s almost certainly Mullvad.

Item 45 - this whole section should be read carefully.

Item 47 - the initial 19 accounts under investigation plus the mlrtr[.]com domain led to finding the other 949 accounts.

Infrastructure:

Here’s a big fat registrar goof by the operator, as seen by RiskIQ

And some hosting slips

This is what’s appeared on the 46.149.78.0/24 address - so they didn’t expose anything else there.

Paydirt on 62.113.116.0/24 - what’s wotkotik[.]ru - maybe the PIO mentioned above? And ku4askidok[.]ru, which looks less likely to be a PIO name to me.

There are 185 resolutions for the 85.192.33.0/22 address and all but five of them are for movista[.]ru. The flyers are … interesting.

And movista[.]ru are using Microsoft Office Online? Accessible evidence here as well as a chance to pinch off their operations.

Conclusion:

Nation state actors don’t always bring their A game, but this is a bit surprising to me, because none of the technical methods the U.S. agencies used would work on my efforts.

Burner phones, fail closed VPNs, Monero - anyone who has absorbed the lessons in Tool Time would have little trouble evading this investigation. I recently had cause to set up a similar hosting operation for a pro-NATO group. What little it does show dead ends with a burner purchased with cash that got used at a local business that provides WiFi access. Given that the burner has never been powered up here on my boat and I did not have my “real” cell phone with me when I did the setup, not even pushing to the next level to get cellular carrier records with GPS data would help.

I guess it’s a good thing FSB ops are run by skids like these …