Whats in the torrent:
The qateam/ folder is a copy of what appeared to be a QA server with copies of
all their Finspy Mobile malware.
The www/FinFisher folder is a dump of https://www.gamma-international.de/FinFisher/
That's where their customers went to download whatever they had purchased.
Unfortunately, the downloads are all either encrypted zip or gpg files. But, on
the chance that the encryption can be cracked (throw enough GPU at the zip
files), it'll have everything. The only unencrypted thing in that part is
FinFisher/Sales, which does have some semi-interesting stuff like a price list.
The www/GGI folder is a copy of http://finsupport.finfisher.com/
A dump of it's database is in Database.sql
That's where all their customers went for support questions. Often the
finfisher staff would reply over e-mail, and unfortunately I wasn't able to
get the mail servers. The most interesting things there are the support_request
and feedback tables in the database combined with the Support/Attachments
folder. There's also some decent stuff in Product/Documents and Product/Updates.
The www/conf folder has the webalizer stats on their visitors
The www/ffw folder has their FinFly-Web demo site.
Customers I've identified:
29 - the Bahraini group, in support requests they ask for help setting up a
website targetting activists in 14 Feb, and in another support request they
attach their C&C server logs. The names of people with admin access to the
FinSpy server are in the server logs, grep for "user name:"
Abdulla Husain, Ahmad, Abdulla Al Eid, Yousif Al Sadiq, Rizwan Saleem, Sayed
Ansar Husain, Humayun, and Mohammed Al Majed
From metadata in attached word documents.
69 - PCS Security Pte Ltd
49 - Cliff Harris
From text in support_request or feedback table:
21 - Nasser Alnuaimi Qatar state security bureau
82 - Sanjin Custovic, Intelligence-Security Agency of Bosnia and Herzegovina
73 - Peter Balogh, SSNS - NBSZ hungary secret service
61 - Wim Bordeyne, gives work e-mail of firstname.lastname@example.org although skynet.be is
48 - Vietnam
65 - Nigeria
18 - Mongolia, and their email email@example.com appears in this whois record:
From their username in customer table:
34 - Dyplex
9 - Trovicor
10 - Elaman
23 - Cobham
From gpg key used for their product download:
68 - Jochen van der Wal, technical engineer for KLPD (dutch police)
other customer gpg keys that are on keyservers but it doesn't identify them:
43 - USB on Fire <firstname.lastname@example.org>
14 - email@example.com
Employees identified from gpg keys:
(1) Alfons Rauscher <firstname.lastname@example.org>
1024 bit DSA key 66878388, created: 2013-04-17
(1) Hari Purnama (pgp) <email@example.com>
2048 bit RSA key A7A4AC21, created: 2013-03-05
(1) Melvin Teoh (Gamma Group) <firstname.lastname@example.org>
2048 bit RSA key D81082F4, created: 2012-03-08
(1) Alexander Hagenah <email@example.com>
2048 bit RSA key 3F895273, created: 2013-03-05