author photo
By Bruce Sussman
Wed | Jan 22, 2020 | 9:35 AM PST

It's hard to imagine Jeff Bezos and Saudi Crown Prince Mohammed bin Salman (MBS) as friends.

After all, Bezos owns The Washington Post. His newspaper hired a journalist the Saudi regime hated and banned from writing in Saudi Arabia.

We're talking about murdered journalist Jamal Khashoggi. 

Why would the Saudis hack Jeff Bezos?

During 2017 and 2018, Khashoggi wrote articles for Bezos' paper with titles like, "Saudi Arabia wasn't always this repressive. Now it's unbearable," and "Saudi Arabia's crown prince already controlled the nation's media. Now he's squeezing it even further."

MBS and Saudi leadership do not take that kind of criticism lightly. They even bribed Twitter employees to help them track down people tweeting negative opinions about the Saudi government.

How did the Bezos phone hacking start?

Against this backdrop, billionaire Jeff Bezos accepted an invitation to a small dinner party in Hollywood, which was attended by MBS.

On the night of April 4, 2018, Bezos and MBS made a key exchange at the dinner that likely led to Bezos' iPhone X being hacked by the Saudis.

United Nations documents explain:

"Mr. Bezos attends dinner with the Crown Prince, in the course of which they exchange phone numbers that correspond to their WhatsApp accounts."

WhatsApp is purported to be a means of secure and encrypted messaging between two people. However, in this case, it may have opened the door to a cyberattack by the Saudi regime.

Saudis likely used WhatsApp to hack Bezos phone

Slightly more than three weeks after Bezos and MBS exchanged WhatsApp account information, the following things took place, according to the U.N.:

"May 1, 2018:  A message from the Crown Prince account is sent to Mr. Bezos through WhatsApp. The message is an encrypted video file. It is later established, with reasonable certainty, that the video's downloader infects Mr. Bezos' phone with malicious code."

And there is much more evidence revealed by what happened almost immediately to Bezos' phone. It was invisible until a forensic investigation:

"Records showed that within hours of receipt of the video from the
Crown Prince's WhatsApp account, there was an anomalous and extreme change in phone behavior, with cellular data originating from the phone (data egress) increasing by 29,156 per cent. Data spiking then continued over the following months at rates as much as 106,031,045 per cent higher than the pre-video data egress base line."

Investigators even benchmarked data activity against other devices to look for similar anomalies.

"Up until the day the suspect video file was received, data egress patterns were found to be similar—and explicable by nature of activity undertaken—across all five devices and Mr. Bezos' phone. Following receipt of the suspect video file, a stark contrast was found in the magnitude of data egress from Mr. Bezos' phone as compared to the five other phones."

In other words, Bezos' phone was hacked and massive amounts of data were being stolen from it within hours of that video message the Crown Prince sent through WhatsApp.

What tool was used to hack Bezos' phone?

The WhatsApp message delivered the attack, but what kind of tool made it possible to craft the attack and easily take over someone's phone? The United Nations says it has consulted experts on cyberattacks:

"Experts advised that the most likely explanation for the anomalous data egress was use of mobile spyware such as NSO Group's Pegasus or, less likely, Hacking Team's Galileo, that can hook into legitimate applications to bypass detection and obfuscate activity. For example, following the initial spike of exfiltration after receipt of the suspect video file, more than 6GB of egress data was observed using exfiltration vectors."

The tools mentioned have been used to hack and track journalists and human rights activists around the globe.

Agnes Callamard, U.N. Special Rapporteur on summary executions and extrajudicial killings, and David Kaye, U.N. Special Rapporteur on freedom of expression, issued a joint statement as a result of these findings. They want governments and experts around the world to follow up from here:

"The allegations reinforce other reporting pointing to a pattern of targeted surveillance of perceived opponents and those of broader strategic importance to the Saudi authorities, including nationals and non-nationals.

These allegations are relevant as well to ongoing evaluation of claims about the Crown Prince's involvement in the 2018 murder of Saudi and Washington Post journalist, Jamal Khashoggi.

The alleged hacking of Mr. Bezos's phone, and those of others, demands immediate investigation by US and other relevant authorities, including investigation of the continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents."

And then there is the issue of powerful spyware tools obtainable by those with money, regardless of intent:

"This reported surveillance of Mr. Bezos, allegedly through software developed and marketed by a private company and transferred to a government without judicial control of its use, is, if true, a concrete example of the harms that result from the unconstrained marketing, sale and use of spyware.

Surveillance through digital means must be subjected to the most rigorous control, including by judicial authorities and national and international export control regimes, to protect against the ease of its abuse. It underscores the pressing need for a moratorium on the global sale and transfer of private surveillance technology."

Technology that makes it possible to spy on and track anyone, anywhere—it's a chilling thought, isn't it? And the use of this type of spyware is a theme when you look at the Kingdom of Saudi Arabia.

Timeline of Bezos phone hacking and related Saudi hackings

The evidence that this type of device hacking is a common method of attack by Saudi Arabia becomes much clearer when you look at the following timeline of events, which includes the Bezos phone hack and much more. 

Read on if you have further interest in this.

December 2016:
"At a Washington-based think-tank, Jamal Khashoggi makes critical remarks about Donald Trump's ascent to the US presidency. Soon after, the Saudi regime cancelled Mr. Khashoggi's column in the al-Hayat newspaper, and ultimately banned him from writing, appearing on television, and attending conferences. A Saudi official explained that Mr. Khashoggi's statements 'do not represent the government of Saudi Arabia or its positions at any level, and his opinions only represent his personal views, not that of the Kingdom of Saudi Arabia.' Mr. Khashoggi's subsequent exile from Saudi Arabia was self-imposed, based upon his belief that for his own safety and freedom he had no other choice but to leave."

September 2017:
The Washington Post publishes Khashoggi's first column, "Saudi Arabia wasn't always this repressive. Now it's unbearable."

November 2017:
Pegasus-3 spyware is acquired from NSO Group by the Saudi regime,
specifically the Saudi Royal Guard.

February 7, 2018:
Washington Post publishes a column by Khashoggi entitled, "Saudi Arabia's crown prince already controlled the nation's media. Now he's squeezing it even further."

February 28, 2018:
Washington Post publishes a column by Khashoggi in which he writes: "…maybe [the Crown Prince] should learn from the British royal house that
has earned true stature, respect and success by trying a little humility
himself."

March 21, 2018:
Washington Post owner, Jeff Bezos, is invited to attend a small dinner with
the Crown Prince in Los Angeles.

April 3, 2018:
Washington Post publishes a column by Khashoggi while the Crown
Prince is in the U.S. in which Khashoggi writes, "…replacing old
tactics of intolerance with new ways of repression is not the answer."

April 4, 2018:
Bezos attends dinner with the Crown Prince, in the course of which they exchange phone numbers that correspond to their WhatsApp accounts.

May 1, 2018:
A message from the Crown Prince account is sent to Bezos through
WhatsApp. The message is an encrypted video file. It is later established,
with reasonable certainty, that the video's downloader infects Bezos'
phone with malicious code.

May 2018:
The phone of Saudi human rights activist Yahya Assiri is infected with
malicious code. Assiri was in frequent communication with Khashoggi.

June 2018:
The phone of Saudi political activist Omar Abdulaziz is infected with
malicious code, via a texted link on Whats App. Abdulaziz was in
frequent communication with Khashoggi.

June 2018:
The phone of an Amnesty International official working in Saudi Arabia is
targeted for infection via a WhatsApp link that it is determined leads to an
NSO Group-controlled website.

June 23, 2018:
The phone of Saudi dissident Ghanem al-Dosari is targeted via a text link
leading to NSO infrastructure.

June 23, 2018:
A second phone of Saudi dissident Ghanem al-Dosari is targeted via a text
link leading to NSO infrastructure.

October 2, 2018:
Khashoggi is killed by Saudi government officials. The Washington
Post begins reporting on the murder, publishing ever-expanding revelations about the role of the Saudi government and of the Crown Prince personally.

October 15, 2018:
Massive online campaign against Bezos begins, targeting and
identifying him principally as the owner of The Washington Post. In
November, the top-trending hashtag in Saudi Twitter is "Boycott Amazon." The online campaign against Bezos escalates and continues for months.

November 8, 2018:
A single photograph is texted to Bezos from the Crown Prince's
WhatsApp account, along with a sardonic caption. It is an image of a
woman resembling the woman with whom Bezos is having an affair, months before the Bezos affair was known publicly.

February 25, 2019:
The Daily Beast runs an op-ed by Iyad el Baghdadi entitled, "How the
Saudis Made Jeff Bezos Public Enemy No. 1."

March 31, 2019:
Hundreds of major news outlets around the world report on the allegation
that Saudi Arabia had access to Bezos' phone and had obtained private data. The allegation was first published in a Daily Beast op-ed by Gavin deBecker, and subsequently reported by the NY Times, CNN, al Jazeera, BBC, Bloomberg, Reuters, and others.

April 1, 2019:
The entire Saudi online campaign against Bezos stops abruptly, strongly indicating inauthentic and coordinated hashtags and tweets.

April 25, 2019:
Intelligence officials in Norway advise Iyad el Baghdadi of a CIA warning
that he is being targeted by the Saudis and move him from his home. Intelligence sources believe the threats are connected to Baghdadi's work on Bezos.

May 1, 2019:
el Baghdadi is advised by a source in Saudi Arabia that the Saudis have
successfully targeted his phone.

September 20, 2019:
Twitter suspends 5,000 accounts for "inauthentic behavior," including that of an advisor to the Crown Prince, Saud al Qahtani.

October 1, 2019:
Bezos attends the memorial for Khashoggi held outside the Saudi Consulate in Istanbul where Khashoggi was murdered.

October 2, 2019:
The Saudi online campaign against Bezos resumes after being dormant
for months, specifically citing Bezos' attendance of the memorial event, and again calling for boycott of Amazon. CNN Arabia reports on the new campaign.

October 29, 2019:
Facebook sues the NSO Group in U.S. federal court for trying to compromise the devices of up to 1,400 WhatsApp users in just two weeks.

November 5, 2019:
The U.S. Department of Justice charges three people with serving as Saudi
spies inside Twitter. One of the three had left Twitter and gone to work at
Amazon.

November 14, 2019:
Facebook confirms that "sending a specifically crafted MP4 [video] file to a WhatsApp user," is a method for installing malicious spyware; exactly as
was sent to Bezos.

November 15, 2019:
Several news outlets report on a WhatsApp vulnerability, and warn those
who "have received a random, unexpected MP4 video file," exactly as
Bezos did, to beware.

December 20, 2019:
Twitter suspends 88,000 accounts linked to Saudi spying case, saying that
the accounts were associated with "a significant state-backed information
operation" originating in Saudi Arabia.

READ MORE:
Joint U.N. Statement on Jeff Bezos Phone Hack
U.N. documents relating to Jeff Bezos Phone Hack by Saudi Arabia (PDF)

Comments