June 15, 2023
JAKARTA – An investigation from whistleblower platform IndonesiaLeaks published on Monday uncovered possible evidence that Pegasus, a spyware from Israeli cyber-intelligence firm NSO Group, had been in use on Indonesian soil since 2018, with the police and the intelligence agency allegedly being some of its users.
“The IndonesiaLeaks consortium found indications of the NSO Group spyware [entering Indonesia] through the shipping manifest of PT Mandala Wangi Kreasindo,” the report published in Tempo weekly magazine said. Tempo is among the members of the consortium, along with a number of other Indonesian media outlets and civil society organizations.
In the manifest, the company is recorded as bringing in two pieces of network equipment from United States technology companies Cisco and Dell with a total listed value of around US$16,000.
However, Q Cyber Technologies, parent company of the NSO Group, is listed as the sender. Despite Q Cyber Technologies being headquartered in Luxembourg, the IndonesiaLeaks investigation found that the equipment was originally flown in from Japan with a transit in London.
While a source inside the Customs and Excise Directorate General confirmed that it had found no irregularities within the shipment, IndonesiaLeaks spoke with a spyware middleman who confirmed that customized Dell-branded equipment was often used to disguise spyware and obfuscate the actual value of the items.
One of the most sophisticated tools of its kind, the current version of Pegasus falls under what the industry describes as zero-click spyware. Zero-click spyware is named so because it requires no interaction from the victims to operate, unlike the more widespread one-click spyware that still hinges on the target clicking on a compromised link for the malicious software to work.
Taking advantage of security vulnerabilities and loopholes on devices, zero-click attacks can be sent through a call to hack a target’s device without the target having to answer the call. These tools are also capable of leaving no trace behind, leaving the target unaware that they’ve been targeted at all.
It is for these reasons that zero-click exploits such as Pegasus command a high price in the market, with prices starting at hundreds of billions of rupiah and stretching out into the trillions depending on how many devices the user intends to target with the spyware.
Police denial
Despite the high price of entry, sources from the industry that IndonesiaLeaks met with confirmed that Israeli-made products had been in use in Indonesia since 2018. The State Intelligence Agency (BIN) and the National Police are among the institutions that have allegedly used the technology.
Read also: Senior Indonesian officials targeted by spyware last year
While BIN has yet to respond to these allegations, the IndonesiaLeaks team met with the National Police head of technology, informatics and communication division Insp. Gen. Slamet Uliandi denied that the institution had ever used Pegasus or other Israeli-made spyware.
“It needs to be said that the National Police has never used Pegasus,” Slamet told the IndonesiaLeaks team last week, as reported by Tempo. “We do upgrade our tech every year, and we bought an intrusion system in 2018 for [Apple’s operating system] iOS, but I don’t exactly know how the tender process worked.”
Through the National Public Procurement Agency (LKPP) database, IndonesiaLeaks found that the National Police did order two zero-click intrusion systems for iOS in 2017 and 2018 with a combined total value of Rp 258 billion (US$17.33 million), with the tender won by PT Radika Karya Utama.
IndonesiaLeaks found that the company came up in a CitizenLab report published in December 2020 on Circles, a one-click spyware from Circles Technologies, a surveillance company affiliated with the NSO Group.
Nevertheless, Slamet maintained that the police had always worked within the boundaries of the law, saying that malware and spyware are in the realm of hackers. “If we had Pegasus, we would’ve been able to capture the Free Papua Movement [OPM] and terrorist groups, as we could have any information we want with Pegasus,” Slamet said.
Reuters reported in September 2022 that more than a dozen senior Indonesian government and military officials were the targets of NSO Group spyware in November 2021, including Coordinating Economic Affairs Minister Airlangga Hartarto. Six of the targeted officials told Reuters that they received an email from Apple telling them that they’ve been “targeted by state-sponsored attackers”.
Inquiries made to Radika Karya Utama and Mandala Wangi Kreasindo, the two companies suspected to be involved in the procurement of Pegasus, bore little fruit. While a representative from Radika confirmed that the company has partnered several times with the police in procuring technological equipment, the company declined to provide additional details, according to Tempo.
Meanwhile, a visit to Mandala’s office in the Pacific Place Mall in South Jakarta met with a dead-end as the location is now the site of a coworking space. “Contacted by phone, Mandala Wangi Kreasindo director Haryanto hasn’t responded to our requests for an interview up until Saturday, June 10,” the Tempo report said.