With “medium to high confidence,” forensic investigators have concluded that Saudi Crown Prince Mohammed bin Salman was directly involved in hacking into Jeff Bezos’ phone in 2018, according to a United Nations statement released Wednesday.
The hack, which allowed “intrusive surveillance” of Bezos, according to the U.N., came after bin Salman and the Amazon founder met at a dinner in April 2018 while the crown prince was touring the U.S. The Guardian first reported the alleged surveillance of Bezos on Tuesday.
Following an exchange of WhatsApp messages, bin Salman sent a malicious and encrypted file to Bezos, which led to the exfiltration of large amounts of data, according to the release. The interaction took place months before the murder of Washington Post columnist Jamal Khashoggi in Turkey, which American intelligence agencies have determined was carried out under orders from bin Salman. Bezos also owns the Washington Post.
After meeting bin Salman — also known as MBS — Bezos began working with FTI Consulting to investigate whether his iPhone had been hacked, CyberScoop has learned. FTI Consulting began working on the analysis in February of last year, according to FTI Consulting’s technical report, first obtained by Motherboard
The “very likely” explanation for the suspicious activity on Bezos’ is that spyware like the NSO Group’s Pegasus or Hacking Team’s Galileo was installed on Bezos’ phone, according to FTI.
The Saudi government had acquired Pegasus spyware from NSO Group months before bin Salman allegedly targeted Bezos, the U.N. says.
NSO Group, an Israeli vendor of surveillance software, denied any involvement.
“As we stated unequivocally in April 2019 to the same false assertion, our technology was not used in this instance. We know this because of how our software works and our technology cannot be used on US phone numbers,” the company said in a statement. “Our products are only used to investigate terror and serious crime. Any suggestion that NSO is involved is defamatory and the company will take legal counsel to address this.”
FTI Consulting’s cybersecurity practice — led by Anthony Ferrante, the former director for Cyber Incident Response at the National Security Council at the White House — found “no matches against known conventional or typical malicious software” remaining on Bezos’ phone.
The malicious file was delivered by an encrypted downloader host on WhatsApp’s media server, FTI found. Due to WhatsApp’s end-to-end encryption, it was “virtually impossible” to determine the contents of the downloader, according to FTI.
Although no known malware was found at the time of analysis, it is still possible that malware was deployed to Bezos’ iPhone.
“Lack of evidence of malicious tools of this nature does not refute their existence since sophisticated malware often contains self-destruction capabilities that may activate if certain conditions or objectives are met,” the FTI report noted.
Facebook, which owns WhatsApp, revealed in November that it’s possible to send a certain kind of .mp4 video file to a WhatsApp user as a way to infect victims with spyware, just like the case with Bezos’s phone, according to the U.N. release.
Two investigative methods were still pending when the report was written in November of 2019: intercepting and analyzing live cellular data from Bezos’ iPhone, and jailbreaking the iPhone to perform a forensic analysis of the root file system, which could identify advanced mobile malware, according to the FTI report.
Sen. Ron Wyden, D-Ore., has asked Bezos to provide the U.S. government with more information to help track down who else MBS may have been targeted like this.
“To help Congress better understand what happened — and to help protect Americans against similar attacks — I encourage you to provide my office with information regarding your case,” Wyden said in the letter. “I am particularly interested in the technical details, including indicators of compromise from the hack, which could help the United States Government, businesses and independent researchers discover who else may have been targeted and take steps to protect themselves.”
The Saudi Kingdom has pushed back on the reports that its government is behind the malicious file and exfiltration of data.
“Recent media reports that suggest the Kingdom is behind a hacking of Mr. Jeff Bezos’ phone are absurd,” the Saudi Embassy in the U.S. tweeted. “We call for an investigation on these claims so that we can have all the facts out.”
Agnes Callamard, U.N. special rapporteur on summary executions and extrajudicial killings, and David Kaye, U.N. special rapporteur on freedom of expression, called the surveillance “a concrete example of the harms that result from the unconstrained marketing, sale and use of spyware” and called for a moratorium on the sale or transfer of surveillance technology around the world.
“Surveillance through digital means must be subjected to the most rigorous control, including by judicial authorities and national and international export control regimes, to protect against the ease of its abuse,” Callamard and Kaye said in a statement.
The officials also called on the U.S. government to immediately launch an investigation into MBS’ alleged involvement in hacking Bezos’ phone and dissidents.
“The alleged hacking of Mr. Bezos’s phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents,” Callamard and Kaye said.
The Financial Times first reported that FTI Consulting’s cyber department was behind the forensic analysis of Bezos’ phone.