INVESTIGATION: ISRAELI SURVEILLANCE TECHNOLOGY AND SPYWARE SOLD TO INDONESIA
Investigation: Israeli Surveillance Technology and Spyware Sold to Indonesia
A joint investigation by Amnesty International and Haaretz has revealed that Indonesia, which has no diplomatic ties with Israel, imported Israeli spy tech. Then Singapore found out about it
May 02nd, 13PM May 02nd, 15PMIn the summer of 2020, a senior Israeli official was called to Singapore. Authorities there had discovered that Israeli firms under the oversight of Israel's Defense Ministry had sold advanced digital intelligence technologies to the neighboring country of Indonesia. Singapore could not understand why its ally Israel was arming the pro-Palestinian Muslim country with the same capabilities.
Four years later, amid reports that Indonesia is not ruling out normalizing diplomatic ties with Israel, an international investigation published Thursday has revealed that at least four Israeli firms selling offensive cyber capabilities worked with the Southeast Asian country, home to the world's largest Muslim population.
Over the course of research lasting several months, Amnesty International's Security Lab – the technology and human rights division of the organization – in collaboration with Haaretz, Indonesian weekly magazine Tempo, Greek investigative journalism outlet Inside Story, and Swiss research collective WAV and weekly newspaper WOZ Die Wochenzeitung, investigated the import and use of surveillance technology to Indonesia.
The research by Amnesty International's Security Lab – based on open sources including trade records, shipping data, and internet scans – has revealed complex ties between official bodies and agencies in Indonesia and Israeli firms such as NSO, Candiru, Wintgo and Intellexa that go back to at least 2018.
Two months ago, Indonesian Defense Minister Prabowo Subianto won the country's presidential election. A former general who used to head the special forces, Subianto was pushed out of the army for his role in human rights violations. The son-in-law of Suharto, who ruled Indonesia for 32 years, his election to the presidency has sparked concerns over the future of civil rights in the democratic country.
Between January 2019 and May 2022, Amnesty International recorded at least 90 instances of digital harassment and other forms of digital attacks directed against civil society actors which resulted in at least 148 victims, including human rights defenders, activists, journalists, environmental activists, students, and protestors. These digital attacks included attempts to break into people's private accounts and even harassment.
Indonesia doesn't have any specific legislation governing the use of spyware or surveillance technologies. According to Amnesty International, such technology poses a risk in the country, "where civic space has shrunk as a result of the ongoing assault on the rights to freedom of expression, peaceful assembly and association, personal security and freedom of arbitrary detention."
As past investigations into the sale of spyware and advanced invasive intelligence technologies have demonstrated, in the absence of up-to-date regulations and real legal oversight mechanisms, the chances that such technologies will be abused by their clients in non-Western states grow.
This investigation does not point to any misuse by Indonesia of these technologies, and has not identified any specific victim. However, it does point to the country's desire to obtain these technologies, and documents successful attempts by Indonesian agencies to import different intelligence systems over recent years.
Fake news sites
The investigation reveals that at least five cyber intelligence firms were involved with different state institutions in Indonesia. The first is the German firm FinFisher – a competitor to the Israeli firms. The company was accused last year by German prosecutors of selling its technology to Turkey, which used its spyware against opposition forces.
Access Now, a digital rights group, has in the past found an application developed for Android phones that had FinFisher's spyware baked into it which was used to infect targets – and was sold to Indonesia's national counterterrorism agency ("Badan Nasional Penanggulangan Terorisme" – BNPT).
The current joint investigation reveals that in 2021, a Malaysian firm linked to FinFisher sent some computer hardware to Indonesia. It is impossible to know what the role of this hardware was, and it is possible it is not linked to spyware or surveillance technologies.
This investigation also found signs that Wintego, among the lesser known of Israel's cyber-arms firms, was also active in the country. The firm, whose activity and exports fall under the oversight of Israel's defense exports body, developed and sold a spyware called Helios, alongside other less invasive digital intelligence systems.
While firms like NSO earned infamy for developing "zero-click" capabilities that allowed clients to infect their targets' phones without any action on the victims' part, firms like Wintego are a tier below: Their spyware requires the target to click a link that will usually lead them to a website that include nefarious code that then infects their devices.
Using internet scanning tools, Amnesty's researchers found a number of websites that appear to serve this role: websites masquerading as news sites that actually refer users to IP addresses linked to Wintego.
In one case, one of the websites' domains was made to look like a website for updating Galaxy devices. These addresses also hosted official Wintego promotional materials, and may have also been directly linked to Helios, perhaps even serving as part of its servers.
Trade and shipping data reveals that systems with names either identical or very similar to those being sold by Wintego were shipped to Indonesia via two firms in Singapore, in both 2019 and 2021, for a total value of around $6 million.
One of the firms revealed in a past blog post that they worked with the Indonesian police and sold "the Helios Android and tactical web intelligence" systems.
Another Israeli spyware firm this investigation found evidence of for activities in Indonesia is Candiru, which, like NSO Group, was added to an American blacklist in 2021 after its technology was abused by clients.
Candiru sells a spyware technology called "Cyrus" that can hack into PC systems as well as mobile phones. It was reported in the past that Indonesia was a client of Candiru, and sources in Israel confirmed that their 2018 agreement was approved by the Defense Ministry.
The current investigation found at least three shipments of hardware and software components related to "cyber intelligence infiltration/exfiltration systems" from 2020 to 2021 that correspond to the technology sold by Candiru in the past, with a total value of $33 million.
Network analysis also revealed "domains [that] mimic other Indonesian news websites including TribunNews, Tirto, MediaIndonesia and ANTARA News." A domain called "Indoprogress" was also uncovered. However, Amnesty's Security Lab has not confirmed whether these additional domains were all Candiru-hosted spyware infection servers – though they say they "continued to observe additional malicious Candiru spyware domains with a focus on Indonesia into 2022."
This investigation has also revealed that NSO was active in Indonesia many years before it was blacklisted by the Biden administration. Past investigations have suggested the country could be a possible client of NSO's military-grade Pegasus spyware. While the current investigation has not been able to confirm that the spyware was sold to any specific body in Indonesia, it does reveal evidence that the firm was active in the country.
The NSO subsidiary Circles, which specializes in geolocating targets using the global cellular network, is one example; the investigation found a Circles surveillance system operating on Indonesian networks that are owned by a known supplier of surveillance equipment to local authorities. A 2020 shipment of surveillance hardware from Q-Cyber Technologies, another subsidiary of NSO, was also found to the same supplier in Indonesia.
According to sources in the cyber technology industry, NSO and Candiru are currently not active in Indonesia. NSO said that in 2020, the company adopted strict human rights regulations, adding that "With respect to your specific inquiries, there have been no active geolocation or mobile endpoint intelligence systems provided by the NSO Group to Indonesia under our current human rights due diligence procedure."
Candiru said that it operates in accordance with the supervision of Israeli defense exports and cannot provide details about its clients. Wintego did not respond to requests for comment.
Israel's defense exports body refused to answer whether it approved sales to Indonesia, saying that "Israel authorizes the export of cyber surveillance systems to government entities only, for anti-terror and law enforcement purposes, subject to the receipt of End-User Computing applications and additional limitations as required. While establishing [its] export control policies and reviewing licenses applications, human rights considerations constitute an integral part of the process."
The other Israelis
Israel's so-called cyber diplomacy, which included the permissive and widespread sale of advanced spyware and surveillance tools to non-Western states, allowed Prime Minister Benjamin Netanyahu to warm ties with states in Africa, the Muslim world, and particularly the Persian Gulf.
The Abraham Accords ushered in the authorized sales of Pegasus technology to Saudi Arabia, the United Arab Emirates, and Morocco. But after a string of scandals caused by misuse on the part of NSO's clients, Israel and the firms found themselves at the epicenter of global outrage, with growing demands to ban such technologies altogether.
The crisis peaked when the U.S., fuming after the spyware was also used against American officials in Africa, blacklisted NSO and Candiru and demanded Israel reign in its industry. Since then, Israel has started to enforce a much more strict export regime and today, cyber sales are restricted almost exclusively to Western democracies. Sources say the days when spyware could be sold to Arab or Muslim countries are long gone.
Though Indonesia does not recognize Israel and has no diplomatic ties with Jerusalem, since the 1993 Oslo Accords, there are behind-the-scenes relations between the two states. Former Prime Minister Yitzhak Rabin visited the country in 1993, as did Shimon Peres in 2000. In 2016, Netanyahu told Indonesian journalists that the time had come to forge official relations between Jakarta and Jerusalem.
The findings of this investigation suggest that Netanyahu may have also used cyber diplomacy vis-à-vis Indonesia, a country that is considered diplomatically sensitive.
According to different sources, Israel has found itself in a complex geopolitical triangle in the region. On the one hand is Singapore, whose army Israel helped set up and which, according to official reports, is a major client of Israel's defense contractors. On the other hand is Indonesia, a major Muslim nation with whom normalized diplomatic ties have long been a goal for Israel – not to mention a potential bonanza for its defense exports industry.
The sources say that following the senior Israeli official's visit to Singapore in 2020, a change took place in Israel's export policy with regard to cyber sales to Indonesia.
According to a source deeply familiar with Israel's cyber-arms exports policy, until 2020 it was hard – but possible – to get a green light for selling intelligence technologies to Indonesia. However, since 2021, the source says it has become nearly impossible: "Deals that [Israel's defense exports body] had in the past okayed were suddenly no longer authorized."
The result, the source says, put Israeli firms in a bind: "On the one hand, the firms are contractually obligated to their clients as part of deals that received Israel's official blessing. On the other hand, these firms are now being told they cannot continue to supply the technologies, renew existing licenses, or even fulfill existing contracts."
Another source active in the Israeli offensive cyber industry confirms this, explaining that "those working in Indonesia were not allowed to sell new systems or even maintain existing ones – but the Indonesians were allowed to keep what they already had."
In other words, the technologies could not be updated, rendering them increasingly ineffective as time passed. In theory, Indonesia could continue to use Candiru's technology even after the firm stopped actively working with the country.
At the time, a new force had appeared on the cyber-arms scene: Intellexa, a consortium of cyber, surveillance, and digital intelligence firms that has recently been sanctioned by the U.S. and was at the center of a string of international storms in recent years.
As Israel reigned in its own industry, refusing to greenlight new deals for firms operating from within Israel, firms operating outside of Israel like Intellexa started to pick up the deals the Israelis were reneging on or barred from making. Intellexa is owned by Tal Dilian – a former Israeli military intelligence commander who was blacklisted by the U.S. over his firms' activities.
Intellexa has been linked to Indonesia in the past. However, this investigation has found an array of websites and IP addresses linked to Intellexa that were set up between 2021–2023 that appear to have been used to target people in Indonesia with the firm's infamous Predator spyware. The websites and IP addresses also included fake news sites, including one that appears to mimic an opposition website. Intellexa did not respond to requests for comment on this report.
Warming up engines
Last month, hints that the ties between Jakarta and Jerusalem were moving out of the shadows started to appear again. Israel allowed an Indonesian plane to fly over the country's airspace for the first time to drop humanitarian aid into Gaza, and reports in Israel said that the Indonesians are open to normalizing ties – and even asked Israel to not oppose its bid to join the OECD.
"Now it seems that Indonesia has been fully converted," one source said, adding that "with ties becoming more open, it's less of an issue for everyone. In the long run, Singapore and Israel realized that if you can't beat them, join them."
2024-05-02T11:09:26Z dg43tfdfdgfd