Antonia Timmerman, Jakarta, Indonesia – Teguh Aprianto thought he was doing the Indonesian National Police a favor when he sent them a message on Twitter in June last year: "Hello @DivHumasPolri, time to clean up. Someone claims to have succeeded in breaking into the data of all members of the National Police. This person can now easily access, search and change the data."
Aprianto, a white hat hacker and private cybersecurity consultant, noticed a user on RaidForums – a marketplace and forum for hackers – who claimed to have broken into the database.
But rather than a thank you, Aprianto got anonymous calls to his WhatsApp number and a visit from the police. He refused to accompany them back to the station, on the promise that he would go voluntarily with his lawyers the next day, he told Rest of World. By the time he arrived, the Ministry of Communications and Informatics (Kominfo) had issued a public statement that his well-meaning warning was a hoax. His Twitter account was suspended.
In the end, the police told Aprianto they only wanted to investigate the breach. They offered him a job as a consultant and told him that calling his warning a hoax was a matter of "public communication," Aprianto said. Kominfo's statement was later taken down, without explanation.
In Indonesia, the word "hacker" carries a stigma. The very concept of a person having the ability to breach a computer system, even with ethical intent, irks authorities, in a country where the average internet user is only just beginning to learn about data protection and privacy. That tension is exacerbated by political friction and social unrest that have carved deep distrust between the authorities and citizens and by the government's instinctive use of intimidation, even against those who are trying to help. Hackers, said cybersecurity expert Feri Harjulianto, have a real image problem.
"There's no news on this Tester A, who got an award from finding a security gap at Google," he said. "There's only Hacker X who got arrested by the police because of [a] credit card breach."
Aprianto founded Ethical Hacker Indonesia in 2017, amid a blooming of black hat groups in Indonesia. "I wanted to educate the youth," he said. "There's been cases where underage kids get arrested because they had misused their talents, so we're here to tell them that, if they have talents, they can use it for positive things like participating in bug bounty programs hosted by large companies, for example."
Companies and organizations often offer "bug bounties" to individuals who find and report issues, security vulnerabilities, and exploits in their systems. Ethical hackers play an important role in securing systems and typically get paid with a wide range of rewards – from vouchers and gifts for smaller bugs to thousands of dollars for reporting larger security problems at big tech companies.
Before the pandemic, Ethical Hacker Indonesia had hosted a physical conference in Jakarta, but now it's more active on Facebook, where there are over 16,500 members registered in the private group. Free online sessions are held to discuss best practices, techniques, and tools. Speakers are invited to share their expertise with students.
Aprianto believed many opportunities await young Indonesian hackers. Indonesia's tech sector is booming, and so is cybercrime. Over the last 12 months, data leaks have affected some of the largest companies in the country.
In March 2020, data breach monitoring and prevention firm Under The Breach warned about an alleged data leak of 91 million users of e-commerce site Tokopedia. The data was being sold for $5,000 on the darknet. The data of about 13 million Bukalapak users was allegedly compromised and sold on data-exchange platform RaidForums – although the company has denied it. Meanwhile, Aprianto revealed that, in October, 3 million users' data from fintech firm Cermati.com was leaked and sold online for $2,200 for the whole set.
Harjulianto, who works as the head of IT security at a digital logistics company, said cybercrimes are on the rise in Indonesia, growing in parallel with the mushrooming of the technology sector. "When people first build their startups, they focus on the funding and financing side of it and are not yet concerned about cybersecurity," he explained. "The more people do that, the more cybercrimes we have."
Communities like Ethical Hacker Indonesia then act as an educational platform for the young and gifted, to "direct" them away from a life of crime and toward the ethical practice of hacking, Harijulianto added.
Cyber attacks in Indonesia are not just motivated by profit. Politically motivated digital attacks are also on the rise.
Last year, Indonesia saw an uptick in digital attacks against journalists, activists, government critics, and opponents, including the well-documented hacking and arrest of public policy researcher Ravio Patra. Popular on-demand apps Grab and Gojek were reportedly used to intimidate activists in one of the more unusual schemes, according to a Tech in Asia report.
This has forced Ethical Hacker Indonesia – started as a niche community to fight social stigma and promote legal economic opportunities for its members – to take sides.
In October, when mass protests against a controversial employment law took place across Indonesia, there were 31 attacks against members of civil society groups. These included taking over WhatsApp and social media accounts, robocalls from foreign numbers, doxxing, website hacking, and trolling by political influencers, troll farms, and bot accounts, according to data from SAFENet, a digital rights watchdog, obtained by Rest of World.
Aprianto volunteered to help some of the victims of these attacks and uncovered the methods the hackers were using. The attackers got access to student protesters' WhatsApp accounts by retrieving the one-time password codes that the messaging platform sent by SMS to the victim's devices. "No high-tech [techniques] at all, just mostly misuse of the service provider's data," he said.
It is unclear precisely how this was achieved, but the service provider in question is state-owned Telkomsel, whose parent company Telkom Group had been linked to another scandal: one of its subsidiaries, IndiHome, was accused of stealing customer data. "What we can do at the very least is to ask Telkomsel to be transparent," Aprianto said. "There have been dozens, perhaps hundreds, of victims."
He has made a public call to avoid using Telkomsel altogether and for activists and students to avoid WhatsApp and move to safer apps, like Signal. A Telkomsel spokesperson declined to comment.
Ethical Hacker Indonesia has created cybersecurity resources for the general public, such as periksadata.com, a website to check if your email has been compromised; Lapor Penipuan (Report Scam), where users can get free assistance if they have been the victim of online scams; and Kawal Corona (Corona Watch), a coronavirus cases and information tracker. The community is also working on a project to respond to the rise of politically motivated cyberattacks, but they have to weigh up the risks involved. They have been thinking about building an app that would identify the people behind phone numbers and email addresses, to guard against scams and against the anonymous phone calls that are routinely used to intimidate activists. However, Aprianto worries that it could backfire, as authorities could use it to trace their opponents.
The environment for free expression on the internet has worsened so much, he said, that many people are now scared to speak up. However, he's not one of them. "I'm not scared or anxious," he said. "Plus, I'm not that foolish; I know how to be safe."
[Antonia Timmerman is an independent journalist reporting on migrant workers, LGBTQ communities, arts and culture, Taiwan and Southeast Asian affairs.]