Screencaps of info relating to UniteBlue hosting. @TrinaCuppett @OmegleWarden @GlobalRevOrg @DkChoco
It’s important to understand what Robtex output is and isn’t. It’s lightly sifted and robotically explained data, it is not the product of informed analysis: not “information.” It is also inherently incomplete in important ways. Using Robtex as a source of initial clues is fine, but it is rarely going to be able to provide all the data needed for a serious investigation of the relationships between online entities. Perfectly legitimate and common relationships can be totally invisible to Robtex without any anyone making any effort to obfuscate them or even any errors of any sort.
So, who hosts UniteBlue?
The name “uniteblue.com” resolves to the IP address 22.214.171.124. 126.96.36.199 is an IP routed to the Peer1 San Antonio data center. It is in an address block whose registration carries Peer1’s “ServerBeach” brand and a San Antonio address, implying that it is used for their retail/commodity hosting there. There is one “reverse DNS” record (i.e. PTR type, mapping IP-> name) for that IP, pointing to atk.financialonline.com.br. However, atk.financialonline.com.br actually resolves to a different IP address (188.8.131.52) which is also on a Peer1 network, also registered as ServerBeach, but apparently in Herndon, VA. The Herndon IP has a reverse record pointing to the name va.financialonline.com.br, which thankfully has symmetric resolution back to the same IP. Both of the *.br names seem to be functional as both http and https server names, but their server roots all redirect to URL’s that kick back 403 and 404 pages (not found/access denied) depending on the name and protocol. If those are operational websites, they are clearly not intended for public use. Interesting as well is that when HTTPS is used, both present a certificate issued to *.financialonline.com.br, so it is very likely that the forward DNS is legitimate.
So, what to make of this?
Not much. UniteBlue uses commodity hosting. Unshocking. I have my criticisms of commodity hosting and specifically of ServerBeach, but I’m biased: my current gig is a company that provides *custom* hosting and I’ve spent a couple of decades in the trenches of network abuse response. Peer1 & ServerBeach have a special cage in my menagerie of scorn, but the explanation of that would be a long geeky screed that would lose all readers and say almost nothing about this case. The only useful bit: I am not in the slightest way surprised that Peer1 has a single PTR record pointing to a stale customer name for an IP that they use for a commodity shared hosting machine.
So, is UniteBlue connected to arms merchant ATK?
I would see absolutely no basis for that question, were it not for an unfortunate tweet by Karoli tha got some attention. I can see no evidence that ATK (a.k.a. Alliant Techsystems) is connected to the name atk.financialonline.com.br by anything other than the ‘atk’ hostname and that’s a weaker than weak coincidence. Just as ATK is a brand name of Alliant and ServerBeach is a brand of Peer1, the English word “Financial” and the associated financialonline.com.br domain are a brand of Atatika, a Brazilian financial software company. It seems more likely that ‘atk’ is an abbreviation for the company name or some component of their software rather than a reference to a US defense contractor. The DNS serial number for financialonline.com.br implies that it has not changed since 2009, so even if the name was at some time intended to indicate an Alliant (ATK) connection, the name has not resolved to the IP address hosting UniteBlue since long before UniteBlue existed. Peer1 has an obviously stale PTR record for an IP address that they are now using to host an unknown number of websites, one of which is UniteBlue but none of which are the site that once used the name atk.financialonline.com.br. In short: making a connection from UniteBlue to ATK relies on imputing random significance to a random coincidence in a DNS record that is at least incorrect and seems at best to be stale by 4 years if in fact it was ever correct.