Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Researchers Say Indonesia Made Large-Scale Spyware Purchases

Government Agencies Bought Spyware From a Murky Network of Brokers and Suppliers
Researchers Say Indonesia Made Large-Scale Spyware Purchases
An Indonesian police officer watching over a crowd (Image: Shutterstock)

Indonesian agencies, including the national police, have secretly procured an assortment of spyware and surveillance tools from a network of suppliers, brokers and resellers since 2017 to spy on a range of senior government and military officials, according to Amnesty International researchers.

See Also: Finding and Managing the Risk in your IT Estate: A Comprehensive Overview

Researchers from the human rights group's Security Lab relied on a vast pool of open-source intelligence, including spyware infrastructure maps and commercial trade databases and concluded that Indonesian authorities, including the Indonesian National Police and the National Cyber and Crypto Agency, acquired off-the-shelf spyware tools to closely watch senior government officials and diplomats.

The tools were sourced from "a murky ecosystem of surveillance suppliers, brokers and resellers that obscures the sale and transfer of surveillance technology," Amnesty said. Sellers included the NSO Group-linked Q Cyber Technologies, the Intellexa consortium, Saito Tech, FinFisher and Wintego Systems.

The disclosure follows a Reuters investigation in 2022 that found multiple Indonesian government and military officials were targets of active digital surveillance by state-sponsored attackers. Victims included the chief economic minister, as well as senior military officials, diplomats and advisers in the defense and foreign ministries.

According to Amnesty International's Security Lab, Indonesian agencies procured most of their spyware tools through a network of shell companies in Singapore that work as intermediaries and have opaque documentation and ownership details to make verification of end-to-end supply chains close to impossible.

The agencies also sourced spyware tools and surveillance infrastructure through suppliers, brokers and resellers operating out of Israel, Greece and Malaysia between 2017 and 2023. Tools included malicious domains that mimicked the websites of opposition political parties and major national and local news media outlets and injected highly invasive spyware tools that left minimal traces to prevent detection.

Developers and suppliers of spyware tools named in the report - such as Q Cyber Technologies, the Intellexa consortium and FinFisher - have a rich history of selling sophisticated spyware tools to law enforcement agencies and governments worldwide.

For example, the FinFisher spying tool, also known as FinSpy, can target Android, iOS, macOS, Windows and Linux users. The spyware can hide inside installers for legitimate applications such as TeamViewer, VLC Media Player and WinRAR, and in mobile devices it can be injected through malicious web links. Once installed, it can steal stored files, turn on the microphone, take over the camera, steal emails, capture keylogs and intercept contacts, chats, calls and files.

Researchers said Raedarius M8 GmbH, a German company previously linked with FinSpy malware, shipped technical hardware to an Indonesian company in August 2021, a year before Citizen Lab discovered FinSpy customer servers hosted in Indonesia.

Pegasus spyware, sold by the NSO Group-linked Q Cyber Technologies, is also a well-known and highly sophisticated tool that hides inside infected devices and gains access to SMS communications, encrypted messaging applications, emails, photos, contacts, calendar, GPS data, logs and all installed applications.

Investigation by media collective IndonesiaLeaks, published in June 2023, found that the Indonesian National Police and the State Intelligence Agency procured and deployed the Pegasus spyware. The investigators also found that an Indonesian company, Radika, won a government tender in 2018 for a zero-click intrusion system that can infect devices without requiring any action from the victims.

Amnesty International says many governments take advantage of weak global regulations and enforcement over the sale and supply of dual-use technologies to procure highly invasive spyware and other surveillance technologies at the detriment of citizens' right to privacy.

"Many dual-use technologies and rely on components and infrastructure that may not themselves be subject to dual-use regulations but are integral to the functioning of systems with potential military applications," the rights group said.

"The unchecked spread of highly invasive spyware underscores the urgent need for robust oversight and enforcement of dual-use regulations to prevent its misuse and protect individuals' rights to privacy and free expression. By ensuring strict enforcement of regulations governing the export and transfer of these non-dual-use items, governments can prevent the proliferation of dual-use systems that pose a threat to human rights," the researchers said.

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.