The notorious spyware FinFisher, used to infect mobile phones and computers to place targets under surveillance, has been found in a Sydney data centre.

Key points: Researchers uncover FinFisher's global network of proxy servers

Researchers uncover FinFisher's global network of proxy servers One belonging to Indonesia is found in Sydney's Global Switch Data Centre

One belonging to Indonesia is found in Sydney's Global Switch Data Centre Indonesia also revealed as a prolific user of the hacking spyware

A proxy server inside the Global Switch data centre in Ultimo, Sydney is being used to obscure the real user of the spyware, in this case an Indonesian government agency, according to a group of technology researchers.

A proxy server acts as an intermediary which protects the identity of its real user.

The intrusive spyware developed by Munich-based FinFisher Gamma Group is sold exclusively to government agencies as a way to "help identify, locate and convict serious criminals".

However, there are also well documented cases in which governments have abused the highly invasive spyware by targeting political opponents within their borders and overseas.

According to Privacy International FinFisher was recently used by the Ugandan government to gather "hordes of information" on political opponents and "control the media houses".

In Bahrain, authorities are accused of using the technology to place three young activists under surveillance whilst they were living in the UK. The trio say as a result of the surveillance they were relentlessly pursued and tortured at the hands of Bahraini authorities.

Got a confidential news tip? Email ABC Investigations at investigations@abc.net.au For more sensitive information: Text message using the Signal phone app +61 436 369 072 No system is 100 per cent secure, but the Signal app uses end-to-end encryption and can protect your identity. Please read the terms and conditions.

Once deployed, FinFisher is able to remotely control any computer or mobile phone it infects, copy files, intercept Skype calls, and activate a microphone or webcam.

What does the spyware do? Once deployed, the software can remotely control any computer or mobile phone it infects

Once deployed, the software can remotely control any computer or mobile phone it infects It can copy files, intercept Skype calls, and activate a microphone or webcam

It can copy files, intercept Skype calls, and activate a microphone or webcam One of its key features is its ability to hide the true identity of the end user

One of its key features is its ability to hide the true identity of the end user It's sold to government agencies to use in criminal investigations

The Ultimo proxy server was among a network of FinFisher servers around the world which were unveiled by Bill Marczak, one of a team of researchers at CitizenLab.

"What it means is that the information from the targets who are infected (with FinFisher) is going through Australia before it reached the final master server inside Indonesia," Mr Marczak said.

The research also reveals Indonesia to be one of the most avid users of FinFisher spyware.

"We were able to identify one specific government user inside Indonesia, the National Crypto Agency (Lembaga Sandi Negara) but we also found evidence that there were many other government users inside Indonesia, in other words many separate agencies that were using many separate deployments of FinFisher," he said.

It is not clear which Indonesian government agency is responsible for the proxy server at Ultimo.

The ABC approached ASIO and the Department of Defence, which declined to comment.

The ABC also approached Damon Reid, the executive director of the Global Switch data centre, to ask if the company was aware of the FinFisher server.

Mr Reid declined to answer, referring the question to the company's marketing director in London.

On Monday, comment was sought from the Indonesian Embassy in Canberra, but after no response the ABC sought comment from Jakarta. At the time of publishing no response had been received from Indonesia's Cyber Security Agency (Lembaga Sandi Negara).

ABC obtains leaked Indonesian intelligence

In addition to the FinFisher report, the ABC has obtained an Indonesian intelligence report from last year listing a number of West Papuan independence activists, including students and Christian leaders, who appear to be on an active surveillance list.

The document identifies their weaknesses, including "women and alcohol" and "always complains about funds shortages".

It also lists its aim as being to "suppress and divide the movement".

Papuans are engaged in a struggle for independence from Indonesia stretching back decades.

The ABC has not found evidence that FinFisher spyware has been deployed on this particular list of targets.

Adam Molnar, lecturer in surveillance technology and law at Deakin University, said there was very little transparency and legal oversight for powerful surveillance tools like FinFisher.

"I think that cuts to the heart of the problem. There is so little transparency in this space, there's a lot of secrecy and I think we need to remedy that in such a way that citizens can be aware of the types of services that their governments are contracting", he said.

Legal questions arise over use of sophisticated spyware

Regulating the use of FinFisher across borders has proven difficult.

However, there is some discussion about how and why governments procure these types of surveillance technologies in complete secrecy from private companies.

In the UK, Privacy International has requested Britain's National Crime Agency investigate the Gamma Group for breaching the UK's Serious Crimes Act by aiding the surveillance of three pro-democracy activists targeted by Bahrain's authorities.

The request follows the leak of two internal Gamma documents revealing the company was aware and actively facilitating the Bahraini's regime's surveillance of targets living outside Bahrain using FinFisher spyware.

Researcher Bill Marczak said the use of FinFisher was on the rise, and he was surprised by the range of countries who were clients of the company.

Agencies and governments using the software ranged from Belgium's Federal Police to countries responsible for human rights abuses including Kenya, Angola and Saudi Arabia.

"I felt very concerned about the list of countries we had found," he said.

"I think I would have felt far less concerned if the spyware was only turning up in countries which had a robust rule of law and oversight of intelligence and law enforcement.

"As early as a few years ago it was not possible for governments like Angola, for example, to get this sophisticated spyware capability. It simply wasn't available.

"It opens up the field of sophisticated surveillance to anybody with a chequebook."