Israeli firms sold invasive surveillance tech to Indonesia: Report | Cybersecurity News

An international investigation has found that at least four Israeli-linked firms have been selling invasive spyware and cyber surveillance technology to Indonesia, which has no formal diplomatic ties with Israel and is the world’s most populous Muslim nation.

The research by Amnesty International’s Security Lab – based on open sources including trade records, shipping data and internet scans – uncovered links between official government bodies and agencies in the Southeast Asian country and Israeli tech firms NSO, Candiru, Wintego and Intellexa, a consortium of linked firms originally founded by a former Israeli military officer, going back to at least 2017.

German firm FinFisher, a rival to the Israeli companies and whose technology has been used to allegedly target government critics in Bahrain and Turkey, was also found to have sent such technologies to Indonesia.

Amnesty said there was little visibility about the targets of the systems.

“Highly invasive spyware tools are designed to be covert and to leave minimal traces,” it said in the report. “This built-in secrecy can make it exceedingly difficult to detect cases of unlawful misuse of these tools against civil society, and risks creating impunity-by-design for rights violations.”

It said this was of “special concern” in Indonesia where civic space had “shrunk as a result of the ongoing assault on the rights to freedom of expression, peaceful assembly and association, personal security and freedom of arbitrary detention”.

Concerns about human rights have intensified in Indonesia since former general Prabowo Subianto was elected president in February at his third attempt. Prabowo, who will formally take office in October, has been accused of serious rights abuses in East Timor and West Papua, where Indigenous people have been fighting for independence from Indonesia since the 1960s. He denies the allegations against him.

The report said it had discovered “numerous spyware imports or deployments between 2017 and 2023 by companies and state agencies in Indonesia, including the Indonesian National Police [Kepala Kepolisian Negara Republik] and the National Cyber and Crypto Agency [Badan Siber dan Sandi Negara]”.

Amnesty said the Indonesian police declined to respond to its queries over the research findings, while the National Crypto and Cyber Agency had not responded to its questions by the time of publication.

 

The investigation noted that several of the imports passed through intermediary firms in Singapore, “which appear to be brokers with a history of supplying surveillance technologies and/or spyware to state agencies in Indonesia”.

Over an investigation lasting several months, Amnesty collaborated with Indonesian news magazine Tempo, Israeli newspaper Haaretz, and news and research organisations based in Greece and Switzerland.

“The murky and complex ecosystem of suppliers, brokers, and retailers of spyware and surveillance, as well as complex corporate structures, allow this industry to evade accountability and regulation easily,” Amnesty International Indonesia director, Usman Hamid, was quoted as saying in Tempo.

It is not the first time that Indonesia has been linked to Israeli spyware, with Tempo reporting in 2023 that traces of NSO’s Pegasus spyware, which can infect targeted mobile phones without any user interaction, had been found in Indonesia.

In 2022, the Reuters news agency said more than a dozen senior Indonesian government and military officials had been targeted the year before with Israeli-made spyware.

Fake websites

Amnesty found evidence that, unlike Pegasus, much of the spyware required the target to click a link to lead them to a website, usually imitating the sites of legitimate news outlets or politically critical organisations.

Researchers found links between some of the fake sites and IP addresses linked to Wintego, Candiru (now named Saito Tech) and Intellexa, which is known for its Predator one-click spyware.

In the case of Intellexa, the fake sites mimicked Papuan news website Suara Papua as well as Gelora, which is the name for a political party but also an unrelated news outlet.

Amnesty also found Candiru-linked domains imitating legitimate Indonesian news sites, including the state news agency ANTARA.

Indonesia does not currently have laws that govern the lawful use of spyware and surveillance technologies but has legislation safeguarding freedom of expression, peaceful assembly and association, and personal security. It has also ratified multiple international human rights treaties, including the International Covenant on Civil and Political Rights (ICCPR).

Amnesty urged the Indonesian government to institute a ban on such highly invasive spyware.

Citing sources it did not name, Haaretz said NSO and Candiru were not currently active in Indonesia.

It reported that Singapore had summoned a senior Israeli official in the summer of 2020 after “authorities there had discovered that Israeli firms had sold advanced digital intelligence technologies to Indonesia”.

In responding to Friday’s findings, NSO cited human rights regulations in response to questions from Haaretz.

“With respect to your specific inquiries, there have been no active geolocation or mobile endpoint intelligence systems provided by the NSO Group to Indonesia under our current human rights due diligence procedure,” it was quoted as saying by the newspaper, referring to a framework it introduced in 2020.

Candiru, meanwhile, told Amnesty that it operated in accordance with Israeli defence export rules and could neither confirm nor deny the questions posed by the organisation.

Wintego did not respond to requests for comment on the research findings, Haaretz said.

Israel’s defence exports body declined to comment on whether it had approved sales to Indonesia.

It told Amnesty the sale of cyber surveillance systems was authorised only for government entities for “anti-terror and law enforcement purposes”.

The United States blacklisted NSO in 2021 over concerns its phone-hacking technology had been used by foreign governments to “maliciously target” political dissidents, journalists and activists. The designation makes it harder for US companies to do business with it.

Candiru and Intellexa are also subject to the US’s trade control rules.

In March, the US imposed sanctions on Intellexa for “developing, operating, and distributing commercial spyware technology used to target Americans, including US government officials, journalists, and policy experts”.