World map showing spyware sales to Indonesia from Luxembourg, Europe and Israel via Singapore and Malaysia.

Global: A Web of Surveillance – Unravelling a murky network of spyware exports to Indonesia

An expansive range of highly invasive spyware and surveillance products are being imported and deployed in Indonesia, Amnesty International’s Security Lab said today as it released a new briefing in collaboration with media partners – Haaretz, Inside Story, Tempo, WAV research collective and Woz.  

Through open-source intelligence, including commercial trade databases and spyware infrastructure mapping, the Security Lab found evidence of sales and deployment of highly invasive spyware and other surveillance technologies to companies and state agencies in Indonesia between 2017 and 2023.  

The entities include the Indonesian National Police (Kepolisian Negara Republik Indonesia) and the National Cyber and Crypto Agency (Badan Siber dan Sandi Negara).  

The sale and transfer of highly invasive spyware and surveillance technologies to Indonesia continues to be a concerning development for human rights. The secretive trade of such spyware tools continues at a time when the rights to freedom of expression, peaceful assembly and association are already under attack in the country,”

said Jurre van Bergen, Technologist at Amnesty International. 


A murky ecosystem of surveillance vendors 

The sale and transfer of these spyware and surveillance technologies was enabled through a murky ecosystem of surveillance vendors, brokers and resellers with complex ownership structures.  

The identified vendors include Luxembourg-based Q Cyber Technologies SARL (linked to NSO Group), the Intellexa consortium, Israel-based Wintego Systems Ltd and Saito Tech (also known as Candiru) and Malaysia-based Raedarius M8 Sdn Bhd (linked to FinFisher). The investigation also identified brokers and resellers based in Singapore and Indonesia.  

Intentionally or otherwise, these obscured and non-transparent networks of companies can hide the nature of surveillance exports, making independent oversight challenging for national and international judicial authorities, regulators and civil society organizations. Limited transparency and the systemic lack of information on dual-use (technology or goods that can be used for either civilian and military purposes) surveillance transfers, including the suppliers and end-users involved and export licenses requested, granted, or rejected, make it challenging for regulatory mechanisms – where they exist – to be effectively enforced. 

The Security Lab also identified malicious domain names and network infrastructure linked to multiple advanced spyware platforms, seemingly aimed at targeting individuals in Indonesia. Malicious domains tied to Candiru and Intellexa’s Predator spyware have imitated key national and regional news media outlets, opposition political parties and media stories related to documenting rights violations. Such attack sites are typically chosen by spyware operators to trick their intended targets to click through, which causes the device to be exposed to a potential infection.  

While Amnesty has uncovered significant new evidence about spyware and surveillance systems supplied to Indonesia, this research did not involve a forensic investigation or an attempt to identify specific individuals who may have been targeted with such surveillance tools.  

Highly invasive spyware tools are designed to leave as few traces as possible, making it exceedingly difficult to detect cases of unlawful misuse of these tools. Instead, the research focuses on the sale and transfer of several highly invasive spyware tools. 

Amnesty International’s Security Lab requested comments and clarifications on the findings of the investigation from the twenty-one entities referenced in the investigation. 

Amnesty International received responses from Candiru (referred to as Saito Tech in the research) and NSO Group (responding also for Circles and Q Cyber Technologies SARL) as well as exporting agencies Swiss State Secretariat for Economic Affairs (SECO) and Israeli Defense Exports Control Agency (DECA) and which are reflected in the Security Lab briefing A web of surveillance: Unravelling a murky network of spyware exports to Indonesia.  Candiru responded to explain that the company operates under the Israeli Ministry of Defense Export Control Agency (DECA) – Export Control Law, 5766-2007. NSO Group responded to explain that it is closely regulated by export control authorities in the countries “from which they export products.” 

Human rights implication of spyware trade 

The misuse of surveillance technologies, as well as the use of technologies incompatible with human rights, such as highly invasive spyware, are some of many tactics being used around the world to shrink civic space. The number of identified sales and deployment of highly invasive spyware to Indonesia is of special concern, as there is an ongoing assault on the rights to freedom of expression, peaceful assembly and association, personal security and freedom of arbitrary detention in the country.   

“Human rights defenders and activists have repeatedly faced repression online in Indonesia. The Electronic Information and Transaction (EIT) law and other restrictive laws have been used to prosecute and intimidate human rights defenders, activists, journalists, academics and others. The murky trade in spyware tools to Indonesia adds another dangerous tool for potential intimidation. This cannot be allowed to continue” said Carolina Rocha da Silva, Operations Manager at Amnesty International’s Security Lab.

While Indonesia has ratified the International Covenant on Civil and Political Rights (ICCPR) and recognizes the rights to freedom of expression, peaceful assembly and association, personal security and freedom of arbitrary detention, the country does not have laws specifically governing the lawful use of spyware and surveillance technologies.  

Amnesty International’s Predator Files: Caught in the Net report, shows that even extensive human rights safeguards will not protect civil society against highly invasive spyware. For this reason, Amnesty International calls for a permanent global ban of highly invasive spyware and a moratorium – a halt on the sale, transfer and use of all spyware until there are proper international and national human rights regulatory frameworks in place that protect people from the human rights abuses caused by spyware and surveillance technology.  

If you are a civil society member who may have been a victim of a spyware attack, contact us for digital forensics support.