A malicious file attached to an encrypted video message sent on WhatsApp is believed to have been used in hacking Amazon founder and CEO Jeff Bezos’s iPhone in May 2018. The sender of the message: Crown Prince of Saudi Arabia Mohammad bin Salman (MBS).
The Financial Times and The Guardian reported on Wednesday that a forensic analysis of Bezos’s phone showed that it was compromised via the WhatsApp message.
A United Nations report released late on Wednesday evening confirmed the hacking and provided extensive forensic details. It said Bezos was “subjected to intrusive surveillance via hacking of his phone as a result of actions attributable to the WhatsApp account used by Crown Prince Mohammed bin Salman”, and linked the break-in to criticism of the Saudi regime and Prince Mohammad personally by The Washington Post, the media organisation that Bezos owns.
The report has concluded the Pegasus spyware developed by the Israeli firm NSO Group was “most likely” used in the hacking. Pegasus was used last year to target some 1,400 devices in 20 countries across four continents, including at least two dozen academics, lawyers, Dalit activists, and journalists in India.
The UN report called for further investigations into the contravention of the “fundamental international human rights standard”, as evidenced by the targeting of Bezos.
Why was Bezos’s phone hacked? What exactly happened?
That Bezos’s phone had been compromised was reported last year, and it was suspected that Saudi Arabia had a hand in the hacking. What has now been confirmed is the vector, and the method used for the hacking — and that Prince Mohammad was personally involved.
In February 2019, Bezos wrote a blog post alleging he was being blackmailed by David Pecker, the CEO of American Media Inc (AMI), which owns the tabloid The National Enquirer. The tabloid had published intimate text messages that Bezos had sent to his girlfriend Lauren Sanchez.
One reason for the alleged blackmail was The Washington Post’s reporting, which had exposed The National Enquirer’s connections with the Saudi regime. The Post, and especially its columnist Jamal Khashoggi, had been very critical of MBS. Khashoggi was subsequently lured into the Saudi consulate in Istanbul and murdered by Saudi agents.
In March 2019, Gavin De Becker a security expert hired by Bezos to investigate the blackmail, wrote a long post in The Daily Beast, explaining that the messages and intimate texts were likely obtained illegally from Bezos’s phone, and that the Saudis were responsible.
So how was WhatsApp used to hack into Bezos’s phone?
The UN report says that on May 1, 2018, “a message from the Crown Prince account (was) sent to Bezos through WhatsApp”. The message was an encrypted video file, and “the video’s downloader infect(ed) Bezos’s phone with malicious code”. The spyware then stole “gigabytes worth of data” over months.
An analysis of the suspect video file initially did not reveal the presence of malware; this was only confirmed by further analysis. The reason was that the video had been delivered via an encrypted downloader host on WhatsApp’s media server — and because WhatsApp is end-to-end encrypted, it was not possible to decrypt or access the contents of this downloader.
Once Bezos’s device was compromised, “there was an anomalous and extreme change in phone behaviour, with cellular data originating from the phone (data egress) increasing by 29,156 per cent”, the forensic report said. The “data spiking then continued over the following months at rates as much as 106,031,045 per cent higher than the pre-video data egress base line”.
How is the Saudi regime linked to the NSO Group?
In August 2018, international human rights organisation Amnesty International reported that one of its international workers from Saudi Arabia received a WhatsApp message, with content related to a Saudi protest in Washington. The message also included a suspicious link.
Investigations by the organisation revealed that the message contained links that would have been used to deploy spyware — and that the links and domain names used were similar to those previously used by Pegasus, the spyware sold by the NSO Group. The Amnesty report also found that another of its human rights activists from Saudi Arabia too, had received a suspicious text message with malicious links.
In October 2018, The Citizen Lab at the University of Toronto in Canada revealed how the phone of Saudi activist Omar Abdulaziz was targeted by the Pegasus spyware. The Citizen Lab has published detailed reports on the deployment of Pegasus in various parts of the world.
Abdulaziz was also a friend of Jamal Khashoggi’s and, like the murdered journalist, a vocal critic of Saudi Arabia. Abdulaziz too, was sent a suspicious link as part of an SMS, which claimed to be a package-tracking message. The Citizen Lab analysis showed the link was connected to the Pegasus spyware, which was then installed on this phone, and was used to track and monitor conversations.
