Wednesday, February 19, 2020

U.N. report: Saudi crown prince was involved in alleged hacking of Bezos phone

Jan 23. 2020
Facebook Twitter

By The Washington Post · Marc Fisher
Jan 23, 2020

On April 4, 2018, the richest man in the world and the leader of the world's biggest oil-exporting nation met at a dinner party at a Hollywood producer's house in Los Angeles and exchanged phone numbers.

"Hello MBS," Jeff Bezos wrote in a text that evening.

"Hello, I saved the number," replied Saudi Arabian Crown Prince Mohammed bin Salman - often known as "MBS" - the next morning.

One day earlier, The Washington Post, which the Amazon founder and CEO owns, had published a column by Saudi dissident Jamal Khashoggi that blasted the prince's government, saying that "replacing old tactics of intolerance with new ways of repression is not the answer."

Four weeks later, on May 1, the prince sent Bezos a WhatsApp message containing a video in Arabic promoting Saudi Arabia's telecom market. Allegedly inside the video file, according to a United Nations report released Wednesday, was a tiny, malicious piece of code that allowed the sender to extract massive amounts of information from the phone over the course of many months.

U.N. human rights investigators have now concluded with "medium to high confidence" that an account belonging to Mohammed sent that infected video to Bezos, triggering a gigantic extraction of data and fueling a concerted campaign against the billionaire, Amazon and The Post.

Human rights investigators Agnes Callamard and David Kaye said that a forensic probe of Bezos' phone "suggests the possible involvement of the Crown Prince in surveillance of Mr. Bezos, in an effort to influence, if not silence, The Washington Post's reporting on Saudi Arabia."

In a statement released Wednesday, Callamard and Kaye called for the United States and other nations to investigate the alleged hacking of Bezos' phone as part of a larger look at what they called "the continuous, multi-year, direct and personal involvement of the Crown Prince in efforts to target perceived opponents."

The U.N. experts decided to examine the allegations as an extension of their investigation into the killing of Khashoggi, who wrote opinion columns for The Post and was slain in October 2018 at the Saudi Consulate in Istanbul.

Callamard and Kaye said Mohammed's apparent involvement was part of "a pattern of targeted surveillance" by Saudi authorities.

The U.N. officials based their conclusions on a forensic investigation of Bezos' phone commissioned by the Amazon founder. Bezos hired investigator Anthony Ferrante of FTI Consulting last year to examine his iPhone X. In a report written in November, Ferrante, a former chief of staff of the FBI's Cyber Division, concluded that Bezos' device had been compromised "possibly via tools procured by Saud al Qahtani," who directed hacking programs for the Saudi government and led a massive online campaign of tweets targeting Bezos, Amazon and The Post.

The alleged hack of Bezos' phone took place five months before Khashoggi's death in 2018, which the CIA linked to the Saudi government in a briefing with senators in December of that year.

The U.S. Treasury Department sanctioned Qahtani for his role as "part of the planning and execution" of Khashoggi's death, but a Saudi public prosecutor last month found a "lack of evidence" against him. The Saudi government said five other Saudis were sentenced to death in connection with the Khashoggi killing but did not identify them.

Ferrante's report said Qahtani bought a 20 percent ownership in a company called Hacking Team that had been working to develop a way to infect phones by sending videos through the WhatsApp messaging platform.

Saudi Arabia's foreign minister, Prince Faisal bin Farhan Al Saud, called the U.N. report "absurd." At a meeting of world leaders in Davos, Switzerland, the minister said, "The idea that the crown prince would hack Jeff Bezos' phone is absolutely silly."

A person close to Mohammed called it inconceivable that the crown prince would try to hack Bezos' phone but said one of his aides might have. Like others, the person spoke on the condition of anonymity because they were not authorized to publicly discuss the issue. Khashoggi's columns in The Post "hit Riyadh like a bombshell," the person said. "There is also this thrill when you buy some software, and you don't know your limits."

A spokesman for Bezos declined to comment. Bezos on Wednesday tweeted a photo of himself at a memorial ceremony in October, honoring Khashoggi a year after his death. Bezos accompanied the picture with just one word, the hashtag #Jamal.

Ferrante's report says that "within hours of receipt of the MP4 video file from the Crown Prince's account, massive and (for Bezos' phone) unprecedented exfiltration of data from the phone began." The flow of data out of Bezos' phone jumped suddenly by 29,156 percent, and the "spiking then continued undetected over some months." Material extracted from Bezos' phone included personal photos, text messages, instant messages, emails and possibly "eavesdropped recordings done via the phone's microphone," Ferrante found.

Twice in the months after the initial breach, Bezos received texts from the crown prince's account that seemed to demonstrate that the sender had access to Bezos' private information.

On Nov. 8, 2018 - two months before the National Enquirer published an exposé revealing that Bezos had been conducting an extramarital affair with former TV host Lauren Sanchez - Bezos received a photo of a woman who looked something like Sanchez.

The photo was accompanied by a cryptic caption saying that "Arguing with a woman is like reading the Software License agreement. In the end you have to ignore everything and click I agree."

Ferrante's report said the message arrived "precisely during the period Bezos and his wife were exploring divorce." At that point, there had been no public reporting on the collapse of Bezos' marriage.

Then, in February of last year, Bezos received a second text from Mohammed's account - one that the consultant said showed that the Saudi leader had information "that could have been gained via surveillance of Bezos' phone."

On Feb. 14, Bezos had been sent a detailed briefing - delivered to his iPhone - about the Saudis' online propaganda campaign against him. Two days later, a text arrived from Mohammed's account saying, "Jeff all what you hear or told to it's not true,... there is nothing against you or amazon from me or Saudi Arabia."

The technology that investigators believe infected Bezos' phone did not require him to click on the video but rather instantly created a channel for remote extraction of data from the phone, FTI concluded.

FTI was unable to find malware on Bezos' phone. It concluded, however, that the extraordinary outflow of data right after the mysterious file arrived strongly indicated a hack.

"It's not the smoking gun, but it's very suspicious," said Matthew Green, a computer scientist at Johns Hopkins University. "If you're looking for concrete, undeniable evidence of an actual hack, then it's not here. But sometimes you're not lucky enough to get that evidence. In fact, one of the goals of this kind of malware is to disguise the fact that it was present."

Bill Marczak, a researcher at the University of Toronto's Citizen Lab, which investigates spyware, said FTI's report uncovered "worrying" allegations, including the "massive data egress spikes from Bezos' phone," which he said require further investigation.

The U.N. experts cited reports that Saudi officials have previously used malware such as the NSO Group's Pegasus-3 product to surveil dissidents' computer activity. NSO Group, an Israeli company, issued a statement on its website Wednesday denying "unequivocally" that its product was used in the alleged Bezos hack.

The alleged hack on Bezos' phone is part of "a growing trend," said Sen. Ron Wyden, D-Ore., in a letter to Bezos. Wyden cited reports that concluded the Saudis have bought hacking software from several commercial providers and used an NSO product to hack the phone of one of Khashoggi's associates in Canada.

WhatsApp, which is owned by Facebook, discovered last spring that it had a vulnerability that allowed attackers to install surveillance software on Apple and Android phones. The U.N. statement said "the use of WhatsApp as a platform to enable installation of Pegasus onto devices has been well-documented and is the subject of a lawsuit by Facebook/WhatsApp against NSO Group."

"We are aware of the media reports and are concerned about the allegations," said a Trump administration official.

The Office of the Director of National Intelligence, the Justice Department and the FBI declined to comment on the U.N. experts' conclusions. People with knowledge of the case have said that federal prosecutors in New York have been investigating Bezos' allegation, made in an online essay last year, that executives at the National Enquirer tabloid newspaper used "extortion and blackmail" against him. The Enquirer's 11-page story last January, touted as "the biggest investigation in Enquirer history," included surveillance photos of Bezos with Sanchez.

Bezos said that American Media Inc., the Enquirer's parent company, threatened to publish photos of his genitals unless he publicly stated that the exposé of his extramarital affair was not motivated by the newspaper's ties to President Donald Trump. Trump and David Pecker, AMI's chief executive, were friends for many years, and AMI admitted to paying two women who said they had affairs with Trump.

The Enquirer said last year that its "single source" who provided information about Bezos' affair was not the Saudis, but rather Sanchez's brother, Michael Sanchez, who denied the allegation.

Any U.S. investigation of the latest hacking allegations would probably be conducted by the FBI. But such a probe would be extremely difficult for both legal and diplomatic reasons.

The bureau probably could not confront hacking suspects in the Saudi government, let alone the crown prince himself. Even if law enforcement officials could use intelligence sources or technical methods to find evidence against someone in the Saudi government, they would face a difficult decision: Do they publicly charge suspects mainly to shame them, knowing they would probably never face trial in the United States and potentially strain diplomatic relations? Or would the FBI remain silent rather than reveal how U.S. authorities gather intelligence on their Saudi allies?

In recent years, officials have at times charged foreign actors. For example, the Justice Department indicted Russian government hackers for interfering in the 2016 election and similarly charged government-backed Iranian hackers with a wide array of computer mischief. A person familiar with the federal investigation into the hacking of Bezos' phone said the FBI approved the selection of Ferrante to do the forensics work on the device.

The U.N. report marks the first time a public entity has backed up Bezos' allegations about Saudi involvement in the hacking. Last year, Bezos alleged through his security consultant, Gavin de Becker, that the Saudi government had "access to Bezos' phone, and gained private information." De Becker wrote in the Daily Beast that the Saudis were "intent on harming Jeff Bezos since . . . the Post began its relentless coverage" of the killing of Khashoggi.

Within days of Khashoggi's death, as The Post published numerous news accounts about the killing and the Saudi government's involvement, a massive Internet campaign against Bezos began, focused on his role as owner of The Post.

By the next month, the top-trending hashtag on Saudi Twitter was "Boycott Amazon."

Relations between Bezos and the Saudi government have deteriorated over the past two years. After Trump picked Saudi Arabia for his first foreign trip as president, and Mohammed visited the United States in early 2018, Bezos' company continued its efforts to make a $2.2 billion deal to build three data centers for Amazon Web Services in the desert kingdom - a project that seemed to dovetail with the prince's desire to expand his country's participation in the global economy.

AWS, which dominates the cloud-computing industry, is the most profitable part of Bezos' colossal business empire. The discussions between AWS and the Saudis ended after the Khashoggi killing.

But a far smaller piece of Bezos' business interests, The Post, proved to be what the billionaire later called "a complexifier."

After the Enquirer published its exposé, Bezos did not deny the affair with Sanchez, but wrote an online essay in which he said he was investigating how the Enquirer had obtained his texts with his girlfriend.

"Certain powerful people who experience Washington Post news coverage will wrongly conclude I am their enemy," Bezos wrote.

- - -

The Washington Post's Kareem Fahim in Istanbul, Jay Greene in Seattle, and Shane Harris, Carol Morello, Ellen Nakashima and Matt Zapotosky in Washington contributed to this report.

Tags:
Facebook Twitter
More in News
Editor’s Picks
wmg-logo
Top News
wmg-logo