Data sent from Jeff Bezos’ phone spiked 29,000% after allegedly receiving a video on WhatsApp from the Saudi crown prince, a UN analysis says.
The United Nations is calling for an investigation after receiving information suggesting that Saudi Arabia’s crown prince was potentially involved in hacking the phone of Jeff Bezos, CEO of Amazon and owner of The Washington Post.
The statement alleges that the hack was an attempt by Saudi Crown Prince Mohammed bin Salman to “influence, if not silence, The Washington Post’s reporting on Saudi Arabia.”
The UN said Saudi authorities had shown a pattern of targeted cyberattacks on its political opponents, including Washington Post columnist Jamal Khashoggi, who was assassinated by Saudi government officials in October 2018 in Istanbul, Turkey.
“The alleged hacking of Mr. Bezos’s phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents,” the UN said Wednesday in a statement.
Bezos’ phone was hacked in May 2018 after receiving a WhatsApp message from the Saudi crown prince’s personal account, according to a forensics investigation by business advisory firm FTI Consulting.
The Saudi embassy has denied any involvement with Bezos’ phone hack, calling for an investigation into the allegations.
On Wednesday morning, Bezos posted on Twitter a message with the hashtag “#Jamal” and a picture of Bezos at a Khashoggi memorial built in Istanbul a year after his murder. Amazon’s press office didn’t respond to a request for comment.
Sen. Ron Wyden, a Democrat from Oregon, sent Bezos a letter on Wednesday requesting answers on the hack and his cybersecurity team’s forensics investigation. The letter requested technical details from the investigation, including the IP addresses of where the spyware had sent Bezos’ data and what kind of surveillance software was used.
“To help Congress better understand what happened — and to help protect Americans against similar attacks — I encourage you to provide my office with information regarding your case,” Wyden wrote.
The forensics research found no known malware on Bezos’ hacked iPhone, according to the UN. It did find a video file sent from the crown prince’s account to Bezos on WhatsApp, but didn’t find any malicious code on the clip itself.
However, the malware could have been hidden on an encrypted downloader hosted on WhatsApp’s media server. The researchers weren’t able to analyze the contents of the downloader because of WhatsApp’s end-to-end encryption.
“It is later established, with reasonable certainty, that the video’s downloader infects Mr. Bezos’ phone with malicious code,” the research found.
Through cellular data analysis, the researchers found that within hours after Bezos received the video, there was a spike in activity on his phone, siphoning out data from his device at a rate 29,156% higher than usual.
On the trail of spyware
The researchers determined that the malware planted on Bezos’ phone most likely came from the NSO Group, an Israeli surveillance organization that Facebook is suing over alleged hacks targeting WhatsApp, which is owned by Facebook.
“This reported surveillance of Mr. Bezos, allegedly through software developed and marketed by a private company and transferred to a government without judicial control of its use, is, if true, a concrete example of the harms that result from the unconstrained marketing, sale and use of spyware,” the UN said.
On Nov. 14, 2019, Facebook confirmed to the researchers that “sending a specifically crafted MP4 file to a WhatsApp user” was a method to install malicious spyware, according to the report.
Facebook didn’t respond to a request for comment.
Gavin de Becker, a private investigator hired by Bezos, has publicly alleged since early last year that Saudi Arabia had hacked the Amazon CEO’s phone and accessed private information. However, he hadn’t previously provided direct evidence of this alleged hack.
De Becker’s claims came at the same time Bezos was fighting an alleged blackmail attempt by the National Enquirer tabloid, which revealed his relationship with former TV reporter Lauren Sanchez while he was still married to MacKenzie Bezos. The couple is now divorced.
On Nov. 8, 2018, Mohammed bin Salman’s WhatsApp account sent a single photo to Bezos’ account, showing an image of a woman resembling Sanchez. The image was captioned, “Arguing with a woman is like reading the Software License agreement. In the end you have to ignore everything and click ‘I agree,'” and was sent in the midst of Bezos’ marriage unraveling.
The National Enquirer’s reporting included text messages from Bezos to Sanchez; Bezos’ investigation into how those leaked text messages helped reveal the alleged Saudi plot. The National Enquirer denied any involvement of the Saudi government in its reporting, instead pointing to Michael Sanchez, Lauren Sanchez’s brother, as the source of the texts.
De Becker had said it wasn’t clear how much, if anything, the National Enquirer’s owner, AMI, knew about the alleged Saudi hack. But he did mention that David Pecker, AMI’s CEO, has ties to the Saudi government and bin Salman.
Originally published Jan. 22, 7:12 AM PT.
Update, 11:13 a.m.: Adds Bezos tweet.
Update, 11:35 a.m.: Adds letter from Sen. Ron Wyden.